NASA Contractor Report 4239 


Formal Verification of a 
Fault Tolerant Clock 
Synchronization Algorithm 


John Rushby and Frieder von Henke 
SRI International 
Menlo Park, California 


Prepared for 

Langley Research Center 

under Contract NAS 1-17067 


NASA 

National Aeronautics and 
Space Administration 

Office of Management 

Scientific and Technical 
Information Division 


1989 


Abstract 


We describe a formal specification and mechanically assisted verification of 
the Interactive Convergence Clock Synchronization Algorithm of Lamport 
and Melliar-Smith [11]. In the course of this work, we discovered several 
technical flaws in the analysis given by Lamport and Melliar-Smith, even 
though their presentation is unusually precise and detailed. As far as we 
know, these flaws (affecting the main theorem and four of its five lemmas) 
were not detected by the “social process” of informal peer scrutiny to which 
the paper has been subjected since its publication. We discuss the flaws 
in the published proof and give a revised presentation of the analysis that 
not only corrects the flaws in the original, but is also more precise and, we 
believe, easier to follow. This informal presentation was derived directly 
from our formal specification and verification. Some of our corrections to 
the flaws in the original require slight modifications to the assumptions 
underlying the algorithm and to the constraints on its parameters, and thus 
change the external specifications of the algorithm. 

The formal analysis of the Interactive Convergence Clock Synchroniza- 
tion Algorithm was performed using our EHDM formal specification and 
verification environment. This application of EHDM provides a demonstra- 
tion of some of the capabilities of the system. 
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Chapter 1 

Introduction 


The Interactive Convergence Clock Synchronization Algorithm is an impor- 
tant and fairly difficult algorithm. It is important because the synchroniza- 
tion of clocks is fundamental to the fault tolerance mechanisms employed in 
critical process control systems such as fly-by-wire digital avionics. It is dif- 
ficult because its analysis must consider the relationships among quantities 
(i.e., clock values) that are continually changing — and changing moreover at 
slightly different rates — and because it must deal with the possibility that 
some of the clocks may be faulty and may exhibit arbitrary behavior. Thus, 
although the algorithm is easy to describe and a broad understanding of why 
it works can be obtained fairly readily, its rigorous analysis, and the deriva- 
tion of bounds on the synchronization that it can achieve, require attention 
to a mass of detail and very careful explication of assumptions. 

Lamport and Melliar-Smith’s paper [11] is a landmark in the field. They 
not only introduced the Interactive Convergence Clock Synchronization Al- 
gorithm, but two other algorithms as well, and they also developed formal- 
izations of the assumptions and desired properties that made it possible to 
give a precise statement and proof for the correctness of clock synchroniza- 
tion algorithms. Nonetheless, the proof given by Lamport and Melliar-Smith 
is hard to internalize: there is much detailed argument, some involving ap- 
proximate arithmetic and neglect of insignificant terms, and it is not easy 
to convince oneself that all the details mesh correctly. It is precisely in 
performing conceptually simple, but highly detailed arguments (i.e., cal- 
culations ) that the human mind seems most fallible, and machines most 
effective. Consequently, the Interactive Convergence Clock Synchronization 
Algorithm seems an excellent candidate for mechanical verification. This re- 
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port describes a mechanized proof of the correctness of the algorithm using 
the EHDM formal specification and verification environment. 

As we performed the formal specification and verification of the Inter- 
active Convergence Clock Synchronization Algorithm, we discovered that 
the presentation given by Lamport and Melliar-Smith was flawed in several 
details. One of the principal sources of error and difficulty was the use by 
Lamport and Melliar-Smith of approximations— i.e., approximate equality 
(cs) and inequalities (~ and ~ ) — in order to “simplify the calculations. We 
eventually found that elimination of the approximations not only removed 
one class of errors, but actually simplified the analysis and presentation. 
We also found and corrected several other technical flaws in the published 
proof of Lamport and Melliar-Smith. A discussion of these flaws is given 
in Chapter 3. Some of our corrections require slight modifications to the 
assumptions underlying the algorithm, and to the constraints on its param- 
eters, and thus change the external specifications of the algorithm. Our 
formal specification and verification of the algorithm is described in Chap- 
ter 4; the detailed listings are to be found in the Appendices. 

We discuss the lessons learned from this exercise, and our view of the 
role and utility of formal specification and verification in Chapter 5. To 
summarize those conclusions: we now believe the Interactive Convergence 
Clock Synchronization Algorithm to be correct, not because our theorem 
prover says it is, but because the experience of arguing with the theorem 
prover has forced us to clarify our assumptions and proofs to the point 
where we think we really understand the algorithm and its analysis. As a 
result, we can present an argument for the correctness of the algorithm, in 
the style of a traditional mathematical presentation, that we believe is truly 
compelling. This presentation is given in Chapter 2 and follows very closely 
the presentation given in Sections 2.1, 3, and 4 of the original paper [11, 
pages 53-66]. However, the details of the proof were extracted directly from 
our formal verification. 

It is this traditional mathematical presentation of our revised proof of 
correctness for the Interactive Convergence Clock Synchronization Algo- 
rithm that we consider the main contribution of this work; we hope that 
anyone contemplating using the algorithm will study our presentation and 
will convince themselves of the correctness of the algorithm and of the ap- 
propriateness of the assumptions (and of the ability of their implementation 
to satisfy those assumptions). We stress that our presentation merely dots 
the i’s and crosses some important t’s in the original; the substance of all 
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the arguments is due to Lamport and Melliar-Smith. Those already famil- 
iar with the original presentation should probably read Chapter 3 before 
Chapter 2. (Indeed, they may then want to skip Chapter 2 altogether.) 
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Chapter 2 

Traditional Mathematical 
Presentation of the 
Algorithm and its Analysis 


Many distributed systems depend upon a common notion of time that is 
shared by all components. Usually, each component contains a reasonably 
accurate clock and these clocks are initially synchronized to some common 
value. Because the clocks may not all run at precisely the same rate, they 
will gradually drift apart and it will be necessary to resynchronize them 
periodically. In a fault-tolerant system, this resynchronization must be ro- 
bust even if some clocks are faulty: the presence of faulty clocks should not 
prevent those components with good clocks from synchronizing correctly. 

The design, and especially the analysis, of fault-tolerant clock synchro- 
nization algorithms is a surprisingly difficult endeavor, especially if one 
admits the possibility of “two-faced” clocks and other so-called Byzantine 
faults. 

Consider a system with three components: A, B, and C\ A and C have 
good clocks, but B’s clock is faulty. A’s clock indicates 2.00 pm, C’s 2.01 
pm, and B y s clock indicates 1:58 pm to A but 2.03 pm to C. A sees that 
C’ s clock is ahead of its own, and that J3’s is behind by a somewhat greater 
amount; it would be natural therefore for A to set its own clock back a little. 
This situation is reversed, however, when considered from C’s perspective. 
C sees that A’s clock is a little behind its own and that B’s is ahead by a 
rather greater amount; it will be natural for C to set its own clock forward 
a little. Thus the faulty clock B has the effect of driving the good clocks 
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A and C further apart. The behavior of B’s clock that produces this effect 
may seem actively malicious and therefore implausible. This is not so, how- 
ever. A failed clock may plausibly act as a random number generator (noisy 
diodes are indeed used as hardware random number generators) and could 
thereby distribute very different values to different components in response 
to inquiries received very close together. Of course, one can postulate a 
design in which a single clock value is latched and then distributed to all 
other components — but then one must provide compelling evidence for the 
correctness of the latching mechanism and the impossibility of cummuni- 
cation errors, and for the correctness of a clock synchronization algorithm 
built on these assumptions. 

Accurate clock synchronization is one of the fundamental requirements 
for fault-tolerant real-time control systems, such as flight-critical digital 
avionics. These systems use replicated processors in order to tolerate hard- 
ware faults; several processors perform each computation and the results 
are subjected to majority voting. It is vital to this process that the repli- 
cated processors keep in step with each other so that voting is performed on 
computations belonging to the same “frame.” Since synchronization of pro- 
cessors’ clocks is essential for the fault-tolerance provided by this approach, 
it is clear that the clock synchronization process must itself be exceptionally 
fault-tolerant. In particular, it should make only very robust assumptions 
about the behavior of faulty processors’ clocks. 

The strongest clock synchronization algorithms make no assumptions 
whatever about the behavior of faulty clocks. Lamport and Melliar- 
Smith [ll] describe three such fault-tolerant clock synchronization algo- 
rithms. These algorithms work in the presence of any kind of fault — 
including malicious two-faced clocks such as that described above. Of course, 
there must not be too many faulty clocks. The first algorithm presented by 
Lamport and Melliar-Smith, the Interactive Convergence Algorithm , can tol- 
erate up to m faults amongst 3m + 1 clocks. Thus, 4 clocks are required 
to guarantee the ability to withstand a single fault. Dolev, Halpern and 
Strong have shown that 3m + 1 clocks are required to allow synchronization 
in the presence of m faults unless digital signatures are used [8]. Thus, the 
Interactive Convergence algorithm requires the minimum possible number 
of clocks for its class of algorithms. 

The Interactive Convergence Clock Synchronization Algorithm is quite 
easy to describe in broad outline: periodically, each processor reads the dif- 
ferences between its clock and those of all other processors, replaces those 
differences that are “too large” by zero, computes the average of the result- 
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ing values, and adjusts its clock by that amount. For descriptions of other 
clock synchronization algorithms, presented in a consistent notation, see 
the surveys by Butler [4] (which includes hardware techniques) and Schnei- 
der [15]. A new class of probabilistic clock synchronization algorithms that 
have extremely good performance (in terms of how close the clocks can be 
synchronized) has recently been introduced by Cristian [6], but so far the 
algorithms in this class are not tolerant of Byzantine failures. 

In the next section we give an informal overview of the analysis of the In- 
teractive Convergence Clock Synchronization Algorithm. This should sup- 
port the reader’s intuition during the more formal analysis in the section 
that follows. Although “formal” in the sense of traditional mathematical 
presentations, this level of analysis is not truly formal (in the sense of be- 
ing based on an explicit set of axioms and rules of inference) — that level of 
presentation is described in Chapter 4 and its supporting Appendices. 


2.1 Informal Overview 

We assume a number of components (generally called “processors”) each 
having its own clock. Nonfaulty clocks all run at approximately the correct 
rate and are assumed to be approximately synchronized initially. Due to 
the slight differences in their running rates, the clocks will gradually drift 
apart and must be resynchronized periodically. We are concerned with the 
problem of performing this resynchronization; we are not concerned with the 
problem of maintaining the clocks in synchrony with some external “objec- 
tive” time (see Lamport [12] for a discussion of this problem), nor are we con- 
cerned with the problem of synchronizing the clocks initially, although the 
closeness with which the initial synchronization is performed will limit how 
closely the clocks can be brought together in subsequent resynchronizations. 1 

The goal of periodic resynchronizations is to ensure that all nonfaulty 
clocks have approximately the same value at any time. A secondary goal 
is to accomplish this without requiring excessively large adjustments to the 
value of any clock during the synchronization process. Formalizing these 
two goals and the assumptions identified earlier is one of the major steps 
in the verification of the Interactive Convergence Clock Synchronization 
Algorithm. For future convenience, we label and explicitly identify them 


a The initial synchronization establishes a bound that cannot be bettered in the worst- 
case; in practice subsequent resynchronizations may improve on the initial synchronization. 
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here (using the same names as [11]), and give them the following informal 
characterizations : 

Requirements 

Si! At any time, the values of all the nonfaulty processors’ clocks must 
be approximately equal. (The maximum skew between any two good 
clocks is denoted by £. 2 ) 

S2: There should be a small bound (denoted S) on the amount by which 
a nonfaulty processor’s clock is changed during each resynchroniza- 
tion. (When taken with A1 below, this requirement rules out trivial 
solutions that merely set the clocks to some fixed value.) 

Assumptions 

AO: All clocks are initially synchronized to approximately the same value. 
(The maximum initial skew is denoted 6q.) 

Al: All nonfaulty processors’ clocks run at approximately the correct rate. 
(The maximum drift is a parameter denoted by p.) 

Schneider [15] shows that all Byzantine clock synchronization algorithms 
can be viewed as different refinements of a single paradigm: periodically, the 
processors decide that it is time to resynchronize their clocks, each processor 
reads the clocks of the other processors, forms a “fault tolerant average” of 
their values, and sets its own clock to that value. There are three main 
elements to this paradigm: 

1. Each processor must be able to tell when it is time to resynchronize 
its clock with those of other processors, 

2. Each processor must have some way of reading the clocks of other 
processors, 

3. There must be a convergence function which each processor uses to 
form the “fault tolerant average” of clock values. 

In the Interactive Convergence Clock Synchronization Algorithm, each 
processor performs a constant round of activity, executing a series of tasks 

a A summary of the notation and definitions used is given in Table 2.1 on Page 15. 
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over and over again. Each iteration of this series of tasks consumes an 
interval of time called a period. All periods are supposed to be of the same 
duration, denoted by R. The final task in each period, occupying an interval 
of time denoted by S, is the clock synchronization task. Each processor uses 
its own clock to schedule the tasks performed during each period. Thus, 
each processor relies on its own clock to trigger the clock synchronization 
task; because the nonfaulty clocks were resynchronized during the previous 
synchronization task and cannot have drifted too far apart since then, all 
processors with nonfaulty clocks will enter their clock synchronization tasks 
at approximately the same time. 

During its clock synchronization task, each processor reads the clock 
of every other processor. Of course, clock values are constantly changing 
and go “stale” if a long (or indeterminate) amount of time goes by between 
them being read and being used. For this reason, it is much more useful 
for each processor to record the difference between its clock and that of 
other processors. The closeness of the synchronization that can be accom- 
plished is strongly influenced by how accurately these clock differences can 
be read. This gives rise to the third assumption required by the Interactive 
Convergence Clock Synchronization Algorithm: 

Assumption 

A2: A nonfaulty processor can read the difference between its own clock 
and that of another nonfaulty processor with at most a small error. 
(The upper bound on this error is a parameter denoted by e). 

The remaining element that is needed to characterize the Interactive 
Convergence Clock Synchronization Algorithm is the definition of its con- 
vergence function. As suggested above, each processor should set its clock 
to a “fault tolerant average” of the clock values from all the processors. The 
obvious “average” value to use is the arithmetic mean, but this will not have 
the desired fault tolerance property if faulty processors inject wildly erro- 
neous values into the process. A simple remedy is for each processor to use 
its own clock value in place of those values that differ by “too much” from 
its own value. This function, called the “egocentric mean,” is the conver- 
gence function used in the Interactive Convergence Clock Synchronization 
Algorithm. The parameter that determines when clock differences are “too 
large” is denoted A. 

To gain an idea of why this works, consider two nonfaulty processors 
p and q. For simplicity, assume that these processors perform their syn- 
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chronization calculations simultaneously and instantaneously. If r is also a 
nonfaulty processor, then the estimates that p and q form of r’s clock value 
can differ by at most 2c. If r is a faulty processor, however, p and q could 
form estimates of its clock value that differ by as much as 2A + 6. (Since r 
could indicate a value as large as A different from each of p and q without 
being disregarded, and these processors could themselves have clocks that 
are 6 apart.) Assuming there are n processors, of which m are faulty, the 
egocentric means formed by p and q can therefore differ from each other by 
as much as 

2(n - m)c + m(5 + 2A) 
n 


Thus, provided 


6 > 2c + 


2mA 
n - m’ 


( 2 . 1 ) 


this procedure will maintain the clocks of p and q within 6 of each other, as 
required. 

Since a nonfaulty processor’s clock can differ from another’s by as much 
as 6, and reading its value can introduce a further error of c, it is clear that 
we must require 

A > 6 + c, 


since otherwise perfectly good clock values could be disregarded. This gives 


A - c > 6 


which, when taken with (2.1), yields 


3c < 


n - 3m 

A. 

n — m 


( 2 . 2 ) 


Because all the variables involved are strictly positive (except m, which is 
merely nonnegative), (2.2) implies 


n > 3m, 

showing that four clocks are required to tolerate a single failure. (Notice that 
seven clocks are required to withstand two simultaneous failures. However, 
if each failure can be detected and the system reconfigured before another 
failure occurs, then five clocks can withstand two failures.) 

Lamport and Melliar-Smith raise a couple of fine points that should be 
considered in implementation and application of the Interactive Convergence 
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Clock Synchronization Algorithm. The correction that occurs at each syn- 
chronization causes a discontinuity in clock values. If a correction is positive 
(because the clock has been running slow), then some units of clock time 
will vanish in the discontinuity as the correction is applied. Any task sched- 
uled to start in the vanished interval might not occur at all. Conversely, a 
negative correction (for a fast clock), can cause units of clock time to repeat, 
possibly causing a task to be executed a second time. One solution to these 
difficulties is to follow each clock synchronization with a “do nothing” task 
of duration at least S. An alternative, that has other attractive properties, 
is to avoid the discontinuity altogether and spread the application of the 
correction evenly over the whole period [11, pages 54-55]. 


2.2 Statement of the Clock Synchronization 
Problem and Algorithm 

The informal argument presented above did not account for the fact that 
the clocks may drift further apart in the period between synchronizations, 
nor did it allow for the facts that the algorithm takes time to perform, and 
that different processors will start it at slightly different times. Taking care 
of these details, and being precise about the assumptions employed, is the 
task of the more detailed argument presented in this section. 

The first step is to formalize what is meant by a clock, and what it means 
for a clock to run at approximately the correct rate. 

Physically, a clock is a counter that is incremented periodically by a 
crystal or line-frequency oscillator. By a suitable linear transformation, the 
counter value is converted to a representation of conventional “time” (e.g., 
the number of seconds that have elapsed since January 1st, 1960, Coordi- 
nated Universal Time). This internal estimation of time may be expected 
to drift somewhat from the external, standard record of time maintained by 
international bodies. In order to distinguish these two notions of time, we 
will describe the internal estimate of time that may be read from a proces- 
sor’s clock as clock time , and the external notion of time (that may not be 
directly observable) as real time . Following Lamport and Melliar-Smith, we 
use lowercase letters to denote quantities that represent real time, and upper 
case for quantities that represent clock time. Thus, “second” denotes the 
unit of real time, while “SECOND” denotes the unit of clock time. Within 
this convention, Roman letters are used to denote “large” values (on the or- 



2.2 . Statement of tie Clock Synchronization Problem and Algorithm 11 


der of tens of milliseconds), while Greek letters are used to denote “small” 
values (on the order of tens of microseconds). 

We are interested in process control applications where events are trig- 
gered by the passage of clock time — e.g., “start the furnace at 9 AM and 
stop it at 5 PM,” or “run the clock synchronization task every 5 SECONDS.” 
Our notion of synchronization is that activities scheduled for the same clock 
time in different processors should actually occur very close together in real 
time. 5 Thus, we define a clock c to be a mapping from clock time to real 
time: c(T) denotes the real time at which clock c reads T. Two clocks c and 
c' are said to be synchronized to within real time 6 at clock time T if they 
reach the value T within 8 seconds of each other — i.e., if |c(T) — c f (T)| < 8. 
The real time quantity |c(T) — c'(T)| is called the skew between c and c* at 
clock time T. Another measure of the divergence between these two clocks 
is the adjustment that one of them should make in order to reduce the skew 
to zero. The clock time quantity $ such that c(T + $) = c'(T) is called c’s 
adjustment to c* (at time T ). 

A clock is a “good clock” if it runs at a rate very close to the passage of 
real time. Lamport and Melliar-Smith define this formally in terms of the 
derivative of the clock function. However, since we will be using a mechanical 
verification system, and do not want to have to axiomatize a fragment of 
the differential calculus, we use a slightly different formulation taken from 
Butler [4]. 

Definition 1: A clock c is a good clock during the clock time interval 
[To,T n ] if 

c(r,)-c(r 2 ) t 

T t -T, 2' 

whenever T\ and T 2 (T\ ^ T^) are clock times in [To, TV]. 

Clocks are resynchronized every R SECONDS. We assume some starting 
time T°, define TW = T° + iR (s' > 0), and let R W denote the interval 
[T(*)j r( ,+1 )j, which we call the t’th period. The actual synchronization task 
is executed during the final S SECONDS of each period: all reading and 
transmitting of clock values occurs within the interval [T( l+1 ) - 5,7 1 (*+ 1 )] j 
which we call the t’th synchronizing period and denote by S W. 

8 For other classes of applications, the reverse notion may be more appropriate — e.g., 
if a single event is to be given (clock time) timestamps by different processors, then we 
may want the different timestamps (all triggered at the same real time) to be very close 
together. Lamport and Melliar-Smith [11, page 61] indicate how to convert between this 
notion of synchronization and the one used here. 
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We consider a set of n processors, where processor p has clock c p . Clocks 
are adjusted by adding a “correction” to their values; the correction used 
by processor p during the » ’th period is denoted O p ^ , so that the real time 
corresponding to clock time T on processor p during period i is c p (T+C p ^). 
We denote this quantity by c p \t) and we call c p ^ the logical clock for 
processor p during the t’th period. We call T + C p ^ the adjusted value of 
T for processor p in period i and denote it by A p \t) (so that cj^(T) = 
c p (A p ^(T))). For simplicity, we assume that the initial correction Cp = 0. 

The skew between the clocks of processors p and q at time T in is 
given by 

|cW(T) - 4‘>(T)|. 

The goal of the Interactive Convergence Clock Synchronization Algorithm 
is to bound this quantity for good clocks. We assume that all the clocks are 
synchronized within 6q of each other at the “starting time” T( 0 ); 

AO: For all processors p and g, (^(T^ 0 )) - 4°^(T(°))| < Sq . 

The process control applications that are of interest to us typically per- 
form a schedule of many separate tasks during each period. Our goal is to 
ensure that tasks which are scheduled to occur on different processors at 
the same clock time during a particular period actually occur very close to 
each other in real time. To achieve this, processor p should perform a task 
scheduled for time T in the t ’th period at the instant its clock actually reads 
Ap\T). A An obvious consequence is that the t’th period for processor p 
runs from when its adjusted clock reads TW until it reads That is, it 

is the clock time interval [Ap^(TW), Ap^(T( ,+1 ))]. Therefore, if a processor’s 
clock is to work long enough to complete the t’th period, it must be a good 
clock throughout the interval [A^(T( 0 )), a£*(T( <+ 1 ))]. This motivates the 
following definition of what it means for a processor to be nonfaulty: 

Al: We say that a processor is nonfaulty through period t if its clock is a 
good clock in the clock time interval [a£ 0 )(T( 0 )), A^(T(* +1 ))]. 

4 To see this, consider a processor whose clock gains one SECOND every hour and whose 
periods are of one HOUR duration. A task to be performed 5 MINUTES into period 3 should 
be started when the adjusted time reads 3 hours and 5 minutes from the initial time. The 
correction during period 3 will be -3 SECONDS, so that the task will be started when the 
clock actually reads 3 hours, 5 minutes and 3 seconds from the initial time. It can be seen 
that this is indeed the desired behavior. 
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There is another assumption about nonfaulty processors, which is not 
formalized and is not considered further during the analysis: this is the 
assumption that nonfaulty processors perform the algorithm correctly. 

Now we can state formally the goals that the Interactive Convergence 
Clock Synchronization Algorithm is to satisfy. 

Clock Synchronization Conditions: For all processors p and q, if all but 
at most m processors (out of n) are nonfaulty through period i, then 

Si: If p and q are nonfaulty through period », then for all T in R'*' 

l4«(T)- t W(T)|<«. 

S2: If processor p is nonfaulty through period i, then 

|Cp‘ +1) - Cjp\ < E. 

We now formalize Assumption A2 concerning the reading of clocks. The 
idea is that sometime during the Tth synchronizing period, processor p 
should obtain a value that indicates the difference between its own clock 
and that of another processor q . To synchronize exactly with q at some 
time T ' in p would need to know the ideal adjustment $£p that it 
should add to its own value so that Cp\T 9 + $qp) — In practice, p 

cannot obtain this value exactly, instead, it obtains an approximation Agp 
that is subject to a small error c. The formal statement is given below. 

A2: If conditions SI and S2 hold for the *’th period, and processor p is 
nonfaulty through period % , then for each other processor q , p obtains a 
value A^p during the synchronization period S M. If q is also nonfaulty 
through period t, then 

K‘»i < s 

and 

| C W(T' + Ag)-cW(T')|<c 

for some time T 1 in S^. 

If p = g, we take Aqp = 0 so that A2 holds in this case also. Notice that 
A2 requires SI and S2 to hold in the period concerned. This is because the 
method by which processors read the differences between their clocks may 
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require them to cooperate — which may in turn depend upon their clocks 
already being adequately synchronized. 

Finally, we can give a formal description of the Interactive Convergence 
Clock Synchronization Algorithm (in the following also referred to as “the 
Algorithm” for short). 

Algorithm CNV: For all processors p: 

C( ,+1 ) = c(') + 

where 

= (;)e*8. — 

A^ = if |A^| < A then A^ else 0. 


A summary of the notation and definitions introduced so far is given in 
Table 2.1 on Page 15. Some typical values for the parameters, based on an 
experimental validation using the SIFT computer [5], are given in Table 2.2 
on Page 17. 

2.3 Proof that the Algorithm maintains Synchro- 
nization 

We now need to prove that the Interactive Convergence Clock Synchroniza- 
tion Algorithm maintains the clock synchronization conditions SI and S2. 
Condition S2 is easy; the difficult part of the proof is to show that the Al- 
gorithm maintains Condition SI. The proof is an induction on * — we show 
that if the clocks are synchronized through period t , and if sufficient proces- 
sors remain nonfaulty through period t + 1, then the nonfaulty processors 
will remain synchronized through that next period. The actual proof is a 
mass of details, so it will be helpful to sketch the basic approach first. For 
reference, the statements of the main Lemmas are collected in Figure 2.1. 

2.3.1 Overview of the Proof 

We are interested in the skew between two nonfaulty processors during the 
« -f l’st period — that is, in the quantity 
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Symbol 

Concept 

n 

number of clocks 

m 

number of faulty clocks 

R 

clock time between synchronizations 

S 

clock time to perform synchronization algorithm 

t(») 

clock time at start of i’th period (= T (°) + iR) 

#(*■) 

i’th period (= [tM,t(*+i)]) 

s(0 

i’th synchronizing interval (= [T’(’ +1 ) - 5,T(’ +1 )]) 


cumulative correction for p’s clock in *’th period 

4\t) 

adjusted value of T for p’s clock in i’th period (= T + C^) 

e A T) 

real time when p’s clock reads T 

4 (r) 

real time in «’th period, when p’s clock reads T (= c p (Ap^(T))) 

s 

maximum real time skew between any two good clocks 

So 

maximum initial real time skew between any two clocks 

e 

maximum real time clock read error 

P 

maximum clock drift rate 

A W 

n.qp 

clock time difference between q and p seen by p in t’th period 

A 

cut off for Aqp 

Ai? 

if |A^| < A then A ['l else 0 

4‘> 

clock time correction made by p in t’th period (mean of A* p ’s) 

s 

maximum correction permitted 


Table 2.1: Notation, Parameters, and Concepts 
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Lemma 1: If the clock synchronization conditions SI and S2 hold for i, 
and processors p and q are nonfaulty through period t + 1, then 



< A. 


Lemma 2: If processor p is nonfaulty through period t + 1, and T 

and II are such that Ap^(T) and Ap\T + II) are both in the interval 
[aJ, 0) (T(°)), 4*+ 1) (7’('+ 2 ))], then 

|cM(r+n)-[c«(r)+n]|<£|n|. 

Lemma 3: If the clock synchronization conditions SI and SS hold for i, 
processors p and q are nonfaulty through period i + 1, and T e S^\ then 

|4’')( r + A(0)- c (0( T )|<e + p5. 


Lemma 4: If the clock synchronization conditions SI and S2 hold for i, 
processor 8 p, q, and r are nonfaulty through period i + 1, and T £ then 


| cW(T) + A W - [cW(T) + A«]| < 2(e + P S) + P A. 


Lemma 5: If the clock synchronization condition SI holds for i, processors 
p and q are nonfaulty through period i + 1, and T G 5^, then 

|cW(T) + Ag - [ C W(T) + AW]| < S + 2A. 


Figure 2.1: Statements of the Principal Lemmas used in The Proof 
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Parameter 

Value 

n 

6 

R 

104.8 msec. 

S 

3.2 msec 

So 

132 /usee, (typically, 10 //sec. is achieved) 

€ 

66.1 /usee, (typically, better than 15 /usee, is achieved) 

P 

15 x 10" 6 

A 

340 /isec. 

S 

340 /isec. 

6 

134 /isec. (m = 0), 271 /isec. (m = 1) 


Table 2.2: Typical Values for the Parameters 
where T G By the Algorithm, 

l4 i+1) (r) - C^'cni = |cW(r + aW) - 4<)(r + aM)|, ( 2 . 3 ) 

and since good clocks run at approximately the correct rate, c^(T + A^) 
and Cq )(T+Ag are close to Cp ^(T) + Ap ^ and to c^(T)+Aj’\ respectively. 
From this it follows that the right hand side of (2.3) can be approximated 
by 

|cW(r) + AW-[cW(r) + A W]|. 

A major step in the proof, identified as Lemma 2, is concerned with bounding 
the error introduced by this approximation. Then, since a!^ and A^ are the 
averages of A r p and A r g, it is natural to consider the individual components 

|eW(r) + A»-[e<0(r) + AW]|. (2.4) 

There are two cases to consider. The first, in which only p and q are assumed 
nonfaulty, is the focus of Lemma 5, while the second, in which r is also 
assumed nonfaulty, is considered in Lemma 4. The first case is quite easy — 
the Algorithm ensures that A^ and Aty can be no larger than A, while 
c p\t) and Cq^(T) can differ by no more than 8 (by the inductive hypothesis). 
For the second case, Lemma 1 provides the result |A^| < A, so that the 

Algorithm will establish A$ = A$ and A $ = a[’J. The quantity (2.4) is 
then rewritten as 

| C W(T) + A« - c«(T) - [cW(T) + A« _ C «(T)]|. 
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Regarding this as the absolute difference of two similar expressions, we are 
led to consider values of the form 

|cW(r) + AW-cW(T)| 

which, using Lemma 2, can be approximated by 

|cW(r + AW)-cW(r)|. 

Lemma 3 is concerned with quantities of this form. 

2.3.2 The Proof in Detail 

We now prove that the Interactive Convergence Clock Synchronization Al- 
gorithm maintains the clock synchronization conditions SI and S2. The 
proof closely follows that of Lamport and Melliar-Smith [11, pages 64-66] 
(though we do separate the two synchronization conditions and prove them 
individually as Theorems 1 and 2, respectively). In particular, our Lemmas 
1-5 correspond exactly to (corrected versions of) theirs. However, since we 
use Lemma 2 in the proof of Lemma 1, we rearrange the order of presenta- 
tion accordingly. We also introduce a Lemma 6 and a Sublemma A that is 
used in its proof and also in the base case of the inductive proof of condition 
SI. Lamport and Melliar-Smith subsumed both of these in the proof of their 
main theorem. In addition, we distinguish several special cases for Lemma 
2, which we identify as Lemmas 2a-2d. (Lemma 2c is the one that corre- 
sponds most closely to Lemma 2 in [11].) The reasons for these additional 
lemmas are: first, we describe the proof in greater detail than did Lamport 
and Melliar-Smith; secondly, the statements of some of our lemmas are more 
restrictive than those of Lamport and Melliar-Smith (that is why we need 
several variants of Lemma 2 — the single Lemma 2 stated by Lamport and 
Melliar-Smith is false); thirdly, this presentation of the proof exactly follows 
the structure of the formal verification described in Chapter 4 and presented 
in detail in the Appendices. 

In the remainder of this section we state and prove the lemmas identi- 
fied above, followed by the main theorems. First, however, we state some 
constraints on parameters that are employed in several of the proofs. 

2.3.2.1 Constraints on Parameters 

Our proofs are contingent on the parameters to the Algorithm 
(n, m, R, S', E, A, e, 6 , Sq and p) satisfying certain constraints. We could men- 
tion these constraints explicitly in the statements of the lemmas and of the 
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theorems, but that would be tedious and would clutter those statements 
needlessly. Accordingly we list and name here the six constraints that the 
parameters are required to satisfy. Satisfaction of these constraints is as- 
sumed throughout the proof. 

The first two constraints can be modified (but not eliminated) if neces- 
sary by suitably adjusting some of the proofs; we chose these particular con- 
straints for simplicity and because we felt that there would be no difficulty 
satisfying them in any likely implementation. The other four constraints are 
fundamental to the operation and analysis of the Algorithm. 

Cl: R > 35 

C2: S > £ 

C3: £ > A 

C4: A>£+e+§S 

C5: 6 > S 0 + pR 

C6: « > 2(e + ,S) + ^ + ,A 

n~m n - m n - m 

The reader may wonder why we do not include the celebrated constraint 
3m < n. The reason is simply that this is a derived constraint, not a funda- 
mental one. It is easy to see that C4 and C6 can be satisfied simultaneously 
only if indeed 3m < n, but it is also quite possible for values of other pa- 
rameters to render C4 or C6 unsatisfiable even if 3m < n. 

2. 3*2. 2 The Lemmas 

Lemma 2: If processor p is nonfaulty through period i + 1, and T 

and II are such that and a!$\t + II) are both in the interval 

(4 0| (ri°>),4 i+I) (rt i+! >)], <*«» 

l4 q (r + n) - [cWfr) + n]| < | |n|. 

Proof: Since p is nonfaulty through period i + 1, we know by A1 that 
Cp is a good clock in the interval [A^(T(°)), a£’ + 1 )(T( ,+2 ))]. Then, by the 
definition of a good clock, we have 

+ II)) - . p 

n 2 ’ 


20 


Traditional Mathematical Presentation 


from which the result follows by the identities c p ^(T) = c p (A p ^(T)), and 

cP(t + n) = c p {4\t + n)). 

□ 

We are going to need some specializations of Lemma 2. The first will be 
used to bound expressions of the form 

| cW(r + $ + n) - [ C W(T + *) + n]| 

where T E Application of Lemma 2 in this case requires us to es- 

tablish that A^ p \t + $) and A p \t + $ + II) are both in the interval 
[ Ap 0) (T (0) ) , Ap +1) (T (,+2) )] . 

Recall that C p °^ = 0, so that Ap°^(T) = T. Thus, in order to satisfy the 
lower bound A p 0 ^ (T^) < A p ^(T+$) in the case * = 0 and T = R — S , 

it is clear that we should require |$| < R — S. To prove that this condition 
suffices for the case of general * and T is surprisingly tedious and requires 
an induction on i . 

We have just established the base case; for the inductive step, we assume 
that T E S® and |$| < R — S are sufficient to establish that A P °^(T^) < 
A$\T + <S>) and we note that if V E S(‘ +1 ), then T' = T + R for T E S®. 
Thus 


A (i+i)( T » + $ ) _ 


> 


4 <+1) (7 + * + R) 

A^ {T + Q + R + C< i+1 ) - CW) 
AW(T + $) + R + c£ +1 ) - cW 
aI°\T (o)) + R + C£ +1 > - C& 


where the last line follows from the inductive hypothesis. In order to com- 
plete the inductive step, we need to establish that 


R + Cf' +1 ) - C® > 0. 


This is an easy consequence of S2, Cl (which is used to derive S < R), and 
C2. 

To satisfy the upper bound A p \t + *!>)< Ap +1 ^(!T( ,+2 )) in the limiting 
case T = T( ,+1 ), we need to establish 

j'(*'+ 1 ) .(. $ 4. cW < 7 , (*'+ 2 ) + C^ i+1 K 
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Now r(‘+ 2 ) = r(' +1 ) + R and S2 provides |C# +1) - C$\ < E so what we 
need is 

$< fl-E. 

It is clear that this can be achieved if |$| < R - S (as before), and |E| < S. 
The latter constraint is ensured by C2. 

We have just sketched the proof of 

Lemma 2a: If processor p is nonfaulty through period i + 1, T G S W, 
|$ + II| < R — S, and |$| < R - S , then 

|eW(T + $ + n) - [ c «(r + 9) + n]| < t |n|. 

□ 

We will also require a variant of this result where the only bounds avail- 
able on $ and II are |$| < S and |JI J < S. It is easy to see that Lemma 2a 
can be applied, provided 3 S < R — which is the Constraint Cl. This yields 
Lemma 2b: If processor p is nonfaulty through period i + 1, T € S^'\ 
|$| < S, and |II| < S, then 

I cW(r + * + n) - [ C W(T + *) + n]| < | |n|. 

□ 

The special case $ = 0 provides 

Lemma 2c: If processor p is nonfaulty through period i + 1, T G SW, and 
|II| < S, then 

|cW(r + n)-[cW(r) + nj|<||n|. 

□ 

The final specialization of Lemma 2 is Lemma 2d. Like that of Lemma 
2a, its proof requires a surprisingly tedious argument (including an induc- 
tion) to establish that the constraints on IT are sufficient to satisfy the an- 
tecedents to Lemma 2. 

Lemma 2d: If processor p is nonfaulty through period i and 0 < U < R t 
then 

| c W(tW + n) - (cW(rW) + n]| < t n . 

Z 

□ 

Lemma 1: If the clock synchronization conditions SI and SS hold for i, 
and processors p and q are nonfaulty through period i + 1, then 

|A«| < A. 
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Proof: By A2, we have 
and 


|A$| < 5 


(2.5) 


|cW(T' + AW)- c (0( T ')|< t 
for some time T' in SM. Using the arithmetic identity 
x = (u - v) + (v - w) - (u — [w + x]) 


we obtain 

4 ) (7 - ' + A® - 4‘ ) P’') 

+ 4 () (r'| - 

- (4 0 (3" + A® - [4°(3”) + A®)|. 

i4 0 (r+A8)-4 0 (J")l 
+ icfV) - 4°(m 

+ |4’ , P’ , +a®-[4 ,) P'') + a®|. 

The first term in the right hand side is the left hand side of the instance of 
A2 with which we began. Applying SI and Lemma 2c to the second and 
third terms, respectively, we obtain 

|AW| < e + « + | a<-> 


i4?i = I 

Hence 

|A$ P | < 


from which the conclusion follows by (2.5) (which was also needed to justify 
application of Lemma 2c) and C4. 

□ 

Lemma 3: If the clock synchronization conditions SI and SZ hold for i, 
processors p and q are nonfaulty through period i + 1, and T £ then 

\c^{T+A^ p )-c^{T)\<e + pS. 


Proof: By A2, we have 

|A$| < 5 (2.6) 


and 


|4°(T' + A$) - cJ’)(T')| < e 
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for some time T' in SW. Let II = T - T 1 , so that T = T' + II. Using the 
latter, plus the arithmetic identity 

* “ !/ = (* - [« + v]) + (u - ty) - (y - [it; + v]), 

we obtain: 

|cW(r + Ag)-cW(r)| = 

| 4° P* + + n) - [4° (r» + a w ) + n] 

+ 4°(t' + a$) - 4‘V) 

-(4’ ) (T' + n)-[ c W(T') + n])|. 

Hence 

|cW(T + A W)-cW(r)|< 

l4* , (r' + a$ + n) - (4°(t' + a$) + n]| 

+ |4‘ ) (t'+aS’J)- c W(t')| 

+ |4 ,) (r' + n)-[4°(r) + n]|. 

Applying Lemma 2b to the first term on the right hand side (this is justified 
by (2.6) and the observation that |II| < S since T and T' are both in £(*)), 
recognizing the second term as the left hand side of the instance of A2 with 
which we began, and applying Lemma 2c to the third term, we obtain 

|cW(r + aW) - 4°(r)| < f M + « + 1 |n|. 

The result then follows from |n| < S. 

□ 

Lemma 4: If the clock synchronization conditions SI and S2 hold for i, 
processors p , q, and r are nonfaulty through period * + 1, and T e SW, then 

|4<>(T) + AW - [«W(r) + A«]| < 2(e + pS) + ,A- 

Proof: By Lemma 1, we know that |A$| < A and |A$| < A. Hence, by 
the Algorithm, Aip = A^ and = A.J and so 

i4°m + = \4Ht ) + aw _ |c w (r) + A w]|. 

Using the arithmetic identity 

x - y= (u- y) - (v - x) + (v - w) - (u- w) 
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we obtain 

|cW(T) + aW-[ C W(T) + aW]| = 

I Cq\T + Arfl) — [<4’ } (T) + Ar*]] 

-( C W(T + aW)-[cW(T) + aW]) 

+ 4 , ' ) (r+A$)-4 ,) (T) 

- {c$\t + A?l) - cP(T))\ 

and 80 | C W( T ) + A W - [*P(T) + AW]| < 

|4* } (T + Arj) — Cq\T) + Ar*,j| 

+ |4°(r + A$) - 4° (T) + Arp | 

+ |4 i) (r + AS)-4°(r)| 

+ |4’ ) (T + aW)-4 0 (T)|. 

The result follows on applying Lemma 2d to the first two terms in the 
right hand side (using C2 and C3 to provide A < S) and Lemma 3 to the 
remaining two. 

□ 

Le mm a 5: If the clock synchronization condition SI holds for i, processors 
p and q are nonfaulty through period i + 1, and T G S W, then 

|cW(t) + £« - [ c W(r) + £«]| < s + 2A. 


Proof: Using the arithmetic identity 

(a + x) - (6 + y) = (a - b) + (x - y), 

we obtain 

l4 0 (r) + &!$ - \4'Ht) + a!']H = i4°(t') - ‘?(t) + - a^i 

< |4 0 (r)-4°(r)l + |A8| + |AS|. 

The result follows on applying SI to the first term on the right hand side, 
and observing that the Algorithm ensures that the remaining two terms are 
no larger than A. 

□ 

Sublemma A: If processors p and q are nonfaulty through period i, and 
T <E JjW, then 

|cW(r) - c«(T)| < |cW(r(0) _ cW(T«)| + p r. 
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Proof: Letting II = T — TW (so that T = I’M + n and 0 < II < R), and 
using the arithmetic identity 

x - y = (x - [u + v]) + (u - w) - (y - [w + v]) 

we have 

| c W(T)-cJ*)(T)| = 

I 4 f) (T (i) + n) - [c^trW) + n] 

+ 4°(rW) - 4 0 (rW) 

- (4°(tW + n) - (4°(tW) + n])| 

and hence 

tcW(T)-cW(T)|< 

l4* ) (rW + n)-[cf ) (rW) + nj| 

+ |4 0 (TW) - C { ^(T^)\ 

+ |cj°(rw + n) - [4°(rW) + n] |. 

The result then follows on applying Lemma 2c to the first and third terms 
on the right hand side. 

□ 

Lemma 6: If processors p and q are nonfaulty through period i + 1, and 
T E then 

|4* +1, (T) — 4* +1 ^(T)| < \c^T^)+A^-[c^HT^)+A^]\+p{R+^y 
Proof: Using Sublemma A (for the case » + 1 rather than *), we obtain 

|4 <+1, (T) - eJ ,+1) (T)| < |4 i+1) (T ( ’ +1) ) - C (‘+ 1 )(T(‘ +1 ))| + pR. 

By the Algorithm, 

| C (.+ 1 )( T (.+ 1 )) _ c (.+i)( T («+i))| = | c W( T (*+i) + A (0) _ c (i)( T (i+i) + A «)|. 

Using the arithmetic identity 

x - y = (x - [u + v]) - (y - [ 11 / + z)) + (ti + t; - [tu + z\) 

we obtain 

| c (i ) ( T (<+i ) + A (0) _ c (‘)(t(*+i) + A (0)| = 

| 4°(r (<+1) + aJ,°) - [4 0 (r (,+1) ) + a { p ] ] 

- (4 <) (rt <+1 ) + aJ°) - [cS i) (r(*+ 1 )) + aJ°]) 

+ 4°Cr ( * +1 >) + aJ 0 - [4°(t (<+1 >) + aJ°]| 
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and hence 

|4‘)(t( ,+1 ) + a(‘>) - c W(r( <+1 > + aW)| < 

| c (0( T (.+ i ) + A (fy _ [ c (‘)( T (.+i)) + A (0j| 

+ |4°(rP +1) + aW) - [ c W(t(*‘ +1 )) + aJ°] | 

+ |4°(T (< + 1 )) + A{° - [ c W( T (.+i)) + A (*)]| 

Applying Lemma 2c to the first two terms on the right hand side (which is 
justified because the Algorithm provides A^ = Cp + 1 ^ — Cp\ S2 then gives 
|Ap^| < S, and C2 gives S < 5), we obtain 

l4°(r ( ‘ +1) + AW) - cW(T( <+1 ) + AW)| < 

| c W( T («+D) + A w _ [ C W( r«+ 1 )) + aWji + p e. 

and the result follows. 

□ 

2. 3.2. 3 The Correctness Theorem 

We divide the correctness theorem into two, and prove separately that the 
Algorithm maintains SI and S2. 

Theorem 1: For all processors p and q, if all but at most m processors are 
nonfaulty through period i, then 

Sis If p and q are nonfaulty through period i, then for all T in R M 

i4°( r ) - 4°( r )i < *■ 

Proof: We use induction on t . The base case t = 0 follows from Sublemma 
A, Assumption AO, and Constraint C5. For the inductive step, we assume 
the theorem true for i, assume its hypotheses true for t + 1, and consider 
|cp t+1 ^(T) — c£ +1 ^(T)|. Lemma 6 then gives 

|c(*' +1) (r) - 4* +1) (T)| < |cW(T ( ‘ +1) )+ AW - [ C W(T(’ +1 ))+ AW]|+p(i2+E). 
By the AJgorithm, the right hand side equals 

(£) E(4 fl (r (<+1) ) + A « - [cW(7* +1 >) + AW]) + p(R + E) 

V 7 r=l 

< (£) £ l4°(r (<+l) ) + Ag - [cW(r('+D) + aW]| + P ( R + e) 

V 7 r= 1 

< I(« - m)( 2[e + pS) + pA) + m{6 + 2A)] + p(R + E) 
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where the first term is obtained by applying Lemma 4 to the n—m nonfaulty 
processors, and the second is obtained by applying Lemma 5 to the m faulty 
ones. The result then follows from the Constraint C6. 

□ 

Theorem 2: For all processors p, if all but at most m processors are non- 
faulty through period i, and processor p is nonfaulty through period i, then 

S2: |c£ +1) - c£ } | < £. 

Proof: The Algorithm defines 

Cf' +1) = CW + A« 

and Ap^ is the average of n terms, each less than A. The result follows. 

□ 


Chapter 3 

Comparison with the 
Published Analysis by 
Lamport and Melliar-Smith 


In this chapter we describe the differences between our analysis and that of 
Lamport and Melliar-Smith, and we describe and discuss the flaws in their 
presentation. 

Our proof of the correctness of the Interactive Convergence Clock Syn- 
chronization Algorithm, which was presented in the previous chapter, follows 
the original proof of Lamport and Melliar-Smith [11] very closely; our only 
changes are technical ones. Some of these were motivated by the needs 
of truly formal specification and verification; others were motivated by the 
need to correct flaws in the original. We begin with changes in the first 
class, then describe the flaws we discovered in the published proof. 


3.1 The Definition of a Good Clock 


Lamport and Melliar-Smith define the notion of a good clock relative to a 
real time interval as follows: 


A clock c is a good clock during the real time interval [ti, * 2 ] 
if it is a monotonic, differentiable function on [Ti, T 2 ], where 
Ti = c~ 1 (ti),i = 1,2, and for all T in 


dc 

dT 


cn-i 
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This definition obviously presents a considerable challenge for a completely 
formal specification — it would require axiomatizing a fragment of the differ- 
ential calculus. Accordingly, we follow Butler [4] and use the Mean- Value 
Theorem to provide a more tractable definition: 

c(Ti) - c(T 2 ) p 

Ti-T 2 2 

This formulation avoids the use of derivatives, but still requires use of the 
inverse clock function. This can be avoided by defining the notion of a good 
clock relative to a clock time interval: 

A clock c is a good clock during the clock time interval [To, TV] 

' c(ri)-cfli) £ 

Tj-r, 2' 

whenever T\ and T 2 are clock times in [To,Tjv]. 

The formulation we employ for the notion of a good clock is this last one, 
except that we rewrite the constraint as 

|c(Ti) - c(T 2 ) - (Tx - r 2 )[ < | (Ti - T 2 ) 

in order to avoid the use of division and the obligation to ensure T\ ^ T 2 . 

Notice that although we no longer explicitly require a good clock to be 
monotonic, it follows implicitly as a corollary to our definition that, since p 
is small, the clock function c is strict monotonic increasing (and therefore 
has an inverse function). This fact is proved as Theorem monotonicity in 
Module clocks. 

3.2 Explicit Functional Dependencies 

We made the functional dependency on t, the synchronization period, ex- 
plicit in the three subscripted A quantities that appear in the Algorithm: 
where Lamport and Melliar-Smith use A p ,A qp and A qp , we use A p \a$ 
and Ag P . Thus, A qp is the difference between q’s clock and p’s observed 
by p during the i’th period. This change is a technical correction necessi- 
tated by our use of a strict formalism. An alternative in the case of A qp 
would have been to include it in the scope of the existential quantification 
in A2 (Skolemization would then have provided the functional dependence 
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on i), but that would have needlessly complicated the technical details of 
the argument. 

Throughout the rest of this Chapter, we use the notation of Lamport 
and Melliar-Smith (i.e., no superscripts on the A functions) whenever we 
are discussing their proof. 

3.3 Approximations and Neglect of Small Quan- 
tities 

In order to “simplify the calculations” Lamport and Melliar-Smith make ap- 
proximations based on the assumption that np <£ 1. They neglect quantities 
of order npe and n/> 2 [11, Section 3.4] and use the notation y to indicate 
approximate equality and x ~ y to indicate approximate inequality, (x ~ y 
means x < y 9 for some y 9 « y.) 

When we first attempted to formalize the proof of Lamport and Melliar- 
Smith, we followed their example and used approximations. However, we 
soon discovered that this required use of some unjustifiable axioms; referring 
to the published proof, we found the corresponding steps to be incorrect 
there also. One of these steps is in the main induction (invalidating the 
whole proof), another is in Lemma 4. These are described below. 

3.3.1 A Flaw in the Main Induction 

The goal of the main induction is to establish the clock synchronization 
condition SI. This is stated [11, page 63] as 

- cW(T)| < 6 

while the inductive step [11, page 66] establishes 

l4 ,+1) (T') - cJ’ +1 )(T')| ~ 6 . 

Thus, the inductive step establishes the desired result only under the unac- 
ceptable hypothesis that x ~ y D x < y. Of course, this immediate difficulty 
can be remedied by restating SI as 

but one would then have to reexamine the whole proof in order to be sure 
that the inductive step and all its lemmas remain true under this weaker 
premise. □ 
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3.3.2 A Flaw in Lemma 4 


Lamport and Melliar-Smith’s version of Lemma 1 [11, page 64] establishes, 
under suitable hypotheses, that |A, P | ~ 6 + e. However, their proof of 
Lemma 4 [11, page 65] requires |A ?P | < 6 + e, which is not substantiated by 
these premises. □ 

The two examples cited above are definite flaws — the proofs are incor- 
rect as stated. In repairing these flaws we faced a choice: we could ei- 
ther continue to work with the approximations — attempting to get them 
right — or we could reexamine the whole use of approximations and investi- 
gate whether the proof could be carried through with exact inequalities. We 
chose the latter course. Our motivation was largely aesthetic — we found the 
use of approximations, and especially the potential appearance of approxi- 
mate bounds in the statement of the main theorem, to be very unsatisfying. 
The use of approximate relations also cluttered the mechanical verification — 
unlike exact arithmetic relations, which are built into our specification lan- 
guage and theorem prover, the approximate relations had to be explicitly 
axiomatized and, more tediously, cited wherever they were needed. We had 
also come to doubt Lamport and Melliar-Smith’s belief that the use of ap- 
proximations simplified the tmmechanized calculations — on the contrary, we 
found that the need to assure ourselves of the correctness of the approxi- 
mations was a major complicating factor in understanding their published 
proof. 

Accordingly, we revised the published proof, adding additional terms 
where necessary so that' exact equalities and inequalities could be used. 
This proved to be quite straightforward and, to us at least, the resulting 
proof (presented in the previous chapter) is no more complicated than that 
published by Lamport and Melliar-Smith, and the use of exact bounds is 
more satisfying. The revisions necessitated by the use of exact inequalities 
are few and are listed below. Notice that in a couple of cases, the changes 
are simplifications. 

Constraint C5 is changed from 

6 ~ 6q 4 - pR 


to 


6 > 6 0 + pR. 


Constraint C4 is changed from 


A pa 6 + e 
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to 


A>$ + e+ £S. 

At 


Constraint C6 is formulated as follows by Butler et al. [5]: 

„ . 2mA t npR 

6 > 2(e + pS) H h 


n - m n- m 

Lamport and Melliar-Smith use A w 6 + € to eliminate A and state 
the bound as 

6 ~ n*(2£ + p (R + 2S*)), 

where 

n' = — ~z—i and 

n - 3m 

. n - m _ 

S' = S 

n 

We prefer Butler’s form and state the revised constraint as 

2mA npR npT, 


S > 2(e + pS) + 


+ 


+ 


+ pA. 


n - m n - m n-m 
Lemma 1: The conclusion is changed from 

|A fl p| ~6 + e 

to 

|A«| < A 

Lemma 4: The conclusion is changed from 

|cW(T) + A rp - [ C W(T) + A r ,]| £ 2(e + pS) 
to 

|«W(T) + A W - [ C W(T) + A«]| < 2(e + pS ) + pA. 


3.4 The Interval in which a Clock is a “Good 
Clock” 

Several lemmas use Definition 1 (the notion of a good clock) and Assumption 
Al (a nonfaulty processor has a good clock) to establish bounds on certain 
quantities. In order to apply these definitions, we must establish that the 
times concerned fall in the interval during which the processor is hypothe- 
sized to be nonfaulty. The statements and proofs of Lemmas 1 and 2 (11, 
page 64] do not do this with sufficient care and both are false as stated. 



3.4. The Interval in which a dock is a “Good Clock” 


33 


3.4.1 Falsehood of Lemma 1 

Lamport and Melliar-Smith’s proof of Lemma 1 readily establishes 

k{f ) (To)-cJ i) (To + A , p )| < ^ + e 

where To €E S^. The next step is to use the fact that p is nonfaulty up 
to T( ,+1 ) to allow use of Definition 1. In order to be able to do this, it is 
necessary to show that 

T 0 + A qp <Tl i+1 \ 

This constraint is not true in general — To could be as large as T(* +1 ) and 
Ag P > 0. However, Lemma 1 is only used when p is known to be nonfaulty 
up to r(’ +2 ) so a plausible repair would change the statement of the Lemma 
to require that p be nonfaulty up to T^ ,+2 K Then we would merely need to 
show that 

To + A, P <T(’ +2 ). (3.1) 

Since To < T(’ +1 ) and T( i+2 ) = T( ,+1 ) + R and A qp is small, this seems 
straightforward. However, although A qp is assumed small, and the purpose 
of this very Lemma is to show it is less than A, there is no a priori bound 
on its value and therefore no basis to establish (3.1). 1 Hence, this putative 
proof of even the repaired version of Lemma 1 is flawed. In our proof, we 
introduce 

A<‘) < s 

as an explicit conjunct in Assumption A2. This is sufficient to substantiate 
our use of Definition 1. 

Notice that satisfaction of this strengthened statement for Assumption 
A2 must be justified for any realization of the Algorithm. 

*It might seem that we could establish that A flf> must be very small by using the facts 
the p and q were synchronized during the previous period and cannot have drifted very 
far since then. This argument, however, merely shows that a suitably small must 
exist — it does not guarantee that this will be the value that is actually obtained. It is 
possible that a very large value will be returned and that the constraint 

|c< 1 'Hr' + A„)-c<*'>(T , )|< £ 

will be satisfied adventitiously because the large value for A gp takes p’s clock beyond the 
interval in which it is a good clock — so that *4- A flP ) may have any value whatever. 
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3.4.2 Falsehood of Lemma 2 

There is a similar problem in the proof of Lemma 2. In order to substantiate 
the use of Assumption Al, it is . necessary to ensure that 

A^(T + n) < A(’' +1 )(r (<+2) ) 

where T € SW and |II| < R. Expanding definitions, this requires 

r(«'+i) _ $ + n + cW < + R + c£ +1) 

where 0 < $ < S. For the case where $ = 0, II > 0, and using S2, this 
reduces to 

n < E-E 

which is not ensured by the condition |IT| < R. Similar difficulty arises in 
satisfying the lower bound to the interval required for application of Al. 

In our proof we introduce several variations on Lemma 2, each with 
tighter bounds on II and/or T, and we also introduce the new constraints 
Cl (35 < R) and C2 (E < 5) in order to overcome these difficulties. These 
particular constraints were chosen for simplicity, and because we felt that 
there would be no difficulty satisfying them in any likely implementation. 
Alternative constraints are feasible, and would require minor modifications 
to the proof. 


3.5 Sundry Minor Flaws and Difficulties 

3.5.1 Falsehood and Unnecessary Generality of Lemma 3 

As stated, the Lemma is false because the bounds on II are insufficiently 
tight to substantiate use of Assumption Al (the argument is exactly the 
same as that for Lemma 2). However, n is instantiated with 0 the only 
time that the Lemma is used (in Lemma 4). In our proof, we discarded the 
parameter II, thereby correcting and simplifying the statement and proof of 
the Lemma. 

3.5.2 Missing Requirements for Clock Synchronization 
Condition S2 

The proofs of Lemmas 1 and 3 use Assumption A2, which requires that S2 
should hold. Since Lemma 4 uses Lemmas 1 and 3, its statement should 
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also require that S2 hold. The statements of all three Lemmas omit this 
condition. 

As stated, Lemma 2 also requires that only SI hold. When other nec- 
essary corrections to the statement and proof of the Lemma are made, it 
becomes necessary to require that S2 hold as well (in order to bound the 
extent to which the interval [J’(’ +1 ) ) y( , + 2 )] can “shrink” when the correction 
Cp +1) is applied). 

3.5.3 Typographical Errors in Lemmas 2 and 4 

The conclusion to the first part of Lemma 2 states that a certain quantity 
is strictly less than (|) IT. This should be (|) JITJ . 

The conclusion to Lemma 4 is stated as 

| C W(T) + A rp - (c«(T) - A r ,]| < 2(e + pS). 

It should read 

|cW(D + Arp - (cW(T) + A r ,]| < 2(e + pS). 

These seem to be no more than typographical errors. 


Chapter 4 

Formal Specification and 
Verification in EHDM 


In this chapter we describe the formal specification of the Interactive Con- 
vergence Clock Synchronization Algorithm and its mechanical verification 
using the EHDM formal specification and verification environment. This 
entails encoding the Algorithm and its supporting definitions, assumptions, 
lemmas, and theorems in the specification language of EHDM, and then 
proving those lemmas and theorems with the help of the EHDM theorem 
prover. 

We begin with an overview of those features of EHDM and its specifi- 
cation language that are necessary for an understanding of this particular 
application, then we describe our application of the system to the Interactive 
Convergence Clock Synchronization Algorithm. 


4.1 Overview of EHDM 

The EHDM Specification and Verification System is an interactive system for 
the composition and analysis of formal specifications and abstract programs 
written in the EHDM specification language. Its development by the Com- 
puter Science Laboratory of SRI International is sponsored by the National 
Computer Security Center. 

A general overview of EHDM is provided in [18], where further references 
may also be found. EHDM is written in Common Lisp and implementations 
are available for Symbolics and Sun workstations. The specification and 
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verification described here was performed on a Sun workstation using EHDM 
Version 4.1.4. 

Our specification and verification of the Interactive Convergence Clock 
Synchronization Algorithm uses only some of the capabilities of EHDM. 
Specifically, it uses unparameterized modules, the functional component of 
the specification language, the ground prover, and the proof chain analyzer . 1 
In this section we will describe only those parts of EHDM that are needed 
to understand our specifications and proofs for the Interactive Convergence 
Clock Synchronization Algorithm. Readers who wish to know more about 
EHDM should consult the references cited earlier. 

4.1.1 The Specification Language 

The fragment of the EHDM specification language used here is a strongly 
typed version of the First-Order Predicate Calculus, enriched with elements 
of other logics — specifically Higher-Order Logic and the Lambda Calculus. 
The two volumes by Manna and Waldinger [13, 14] provide an introduction 
to some of these topics that is especially suitable for computer scientists; 
Andrews [3] gives a more detailed treatment, including a good discussion of 
Higher-Order Logic. 

4.1.1.1 Declarations 

The EHDM specification language allows the declaration of five different sorts 
of entities: types, variables, constants, formulas, and proofs. There are six 
built-in types in EHDM (that is, types which for which the system provides 
an interpretation). The five of interest here are the rational numbers (in- 
dicated by the identifier number), the integers (indicated by the identifiers 
integer or int), the natural numbers (indicated by the identifiers natu- 
ralnumber or nat), the booleans (indicated by the identifiers boolean or 
bool), and the function types (which are described shortly). In addition, 
the user may introduce uninterpreted types, type synonyms, and subtypes. 
Here, we use only the built-in types, plus type synonyms. The declaration 

x The capabilities not used here include parameterized modules and assuming clauses, 
mapping modules, the procedural component of the specification language, the instan- 
tiator for the theorem prover, the Hoare-Sentence prover, the Ada Translator, and the 
multilevel security analyzer. We plan to construct a procedural description of the In- 
teractive Convergence Clock Synchronization Algorithm at some time in the future; this 
will enable us to demonstrate the procedural component of the specification language, the 
Hoare-Sentence Prover, and possibly the Ada Translator. 
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clocktime: TYPE IS number 

introduces clocktime 2 as a synonym for the natural numbers (equivalently, 
we can think of the natural numbers as supplying the interpretation for the 
type clocktime). 

Variables are introduced by declarations of the form 
Tl, T2: VAR clocktime 

while uninterpreted constants are introduced by declarations of the form 
T_ZERQ: clocktime 

Constants of a built-in type can be given an interpretation using a literal 
value of that type, for example: 

T_ZER0: clocktime = 0 

Function types are written as follows: 

X: TYPE IS function [processor , period, clocktime -> realtime] 

where the type-identifiers preceding the -> indicate the domain of the func- 
tion type, and that following indicates the range. 

EHDM is a higher-order language, so that function types may have other 
function types in their domain or range, for example 


foo: TYPE IS function[nat , nat, function [nat -> number] -> number] 

Functions are simply constants of a function type: 

correction: function [processor , period -> clocktime] 

There is no special notation for predicates; a predicate is simply a function 
with range bool: 

goodclock: function [processor , clocktime, clocktime -> bool] 

It is also perfectly feasible to have variables of a function type: 

2 EHDM identifiers consist of a letter, followed by a sequence of letters, digits, and the 
underscore character. Identifiers are case sensitive: tl and T2 are different identifiers. The 
keywords of EHDM are not case sensitive, however: type , TYPE, and even tYpE all denote 
the same keyword. By convention we put keywords in upper case. (This is the default 
used by the EHDM prettyprinter.) 
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prop: VAR function[nat -> bool] 

Literal values of a function type are denoted using lambda-notation, and 
may be used to give an interpretation to a function constant. The following 
specification fragment gives an example. 3 

p: VAR processor 
i: VAR period 
T: VAR clocktime 

adjusted: function [processor ( period, clocktime -> clocktime] « 
(LAMBDA p, i, T “> clocktime: T + correct ion (p, i)) 

Formula declarations have the following schema: 

name: KEY value 

where the name is simply an identifier that is used to refer to the formula, 
KEY is one of the keywords FORMULA, AXIOM, LEMMA, or THEOREM, 4 and 
value is boolean-valued expression. 

Expressions can be built up from the usual propositional connectives 
(which are written as NOT, AND, OR, IMPLIES, and IFF), universal and 
existential quantification, function application (written in the usual prefix 
notation — e.g., adjusted(p, i, T)), equality (written as *), 6 disequality 
(written as /=), the usual arithmetic operations (written as - , +, * and 
/), and the relations of arithmetic inequality (written as <, <=, >, and 
> s ). There is also a three-place if-tken-else operator that is written, for 
example, as: 

abs.def: AXIOM abs(x) « IF x < 0 THEN -x ELSE x END IF 
Quantified expressions are written in the following form: 

s Notice that unlike many programming and specification languages, EHDM declarations 
are not terminated by a semi-colon. 

4 The8e four keywords are almost equivalent (AXIOM is actually distinguished from the 
other three). However, they are meant to be used in a way that indicates the specifier’s 
intention: an AXIOM is something intended to be taken as primitive, while LEMMA and 
THEOREM indicate something that will be proved. We use FORMULA to indicate something 
that ought to be proved but is not (i.e., a “temporary* axiom). The EHDM Proof-Chain 
Checker is used to ensure that all non-AXIOMs are ultimately consequences only of AXIOMS 
and PROOFS. 

6 The symbol * denotes logical equivalence when its arguments are of type boolean — it 
is a synonym for IFF in this case. 
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R: clocktime 

T, PI: VAR clocktime 

i: VAR period 

T_Bup: function [period -> clocktime] 

in_R_interval : function [clocktime, period -> boolean] 

Rdef: AXIOM in_R_interval(T, i) * 

(EXISTS PI: 0 <= PI AND PI <« R AND T = T_sup(i) + PI) 

Free variables in EHDM formulas are treated as if they are universally quan- 
tified at the outermost level (i.e. , formulas denote their universal closure). 
Thus, the following is equivalent to the AXIOM of the same name given earlier: 


abs.def : AXIOM (FORALL x: abs(x) = IF x < 0 THEN -x ELSE x END IF) 

It is generally easier to read formulas when this outer level of quantification 
is omitted. 

EHDM permits overloading of function names and provides subtype-to- 
supertype coercions. This is of some importance when dealing with arith- 
metic. The naturals are defined as a subtype of the integers, which in turn 
are defined as a subtype of the (rational) numbers. The binary arithmetic 
functions and relations require both their arguments to be of the same type; 
the function and relation symbols actually denote different functions ac- 
cording to the type of their arguments. If an arithmetic function or relation 
is supplied with arguments of different types, then a subtype to supertype 
coercion is applied until the types match. Thus, in the following fragment 

□: VAR nat 
i: VAR int 
r: VAR number 

X: FORMULA r = i + n 

it is addition on the integers that is supplied as the interpretation of the + 
sign (n is coerced to integer), the result is coerced to a (rational) number, 
and the equality function used is that for the (rational) numbers. 

4.1. 1.2 Modules 

Specifications in EHDM are structured into named units called modules in 
much the same way as programs written in modern programming languages 
are composed of similar units (e.g., packages in Ada). A module serves 
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to group related concepts together and delimits the scope of names. An 
(unparameterized) EHDM module consists of three parts, any of which may 
be empty: an import/export part, a theory part, and a proof part. 

Declarations of all the forms described above may appear in both the 
theory and proof parts (except that AXIOMs may not appear in a proof part). 
Types and constants declared in the theory part may be made visible to the 
theory parts of other modules by listing them in the exporting part — for 
example: 

EXPORTING R, in_R_interval 

Other modules gain access to these names by citing the name of the module 
in which they are declared in their USING clauses (as the import list is called 
in EHDM). A module A which imports a module B may re-export all the 
names imported from B by adding a WITH clause to its own exporting list: 

USING A 

EXPORTING p. q. r WITH A 

This makes all the names exported by A visible to any module that imports 
B, without that module having to import A explicitly. 

All names declared in a theory part, whether exported or not, are visible 
inside the proof part of any module that imports the module concerned. 
Conversely, nothing declared in a proof part is ever visible outside that 
proof part. 

The reader should now have enough understanding of the specification 
language of EHDM to be able to read the simple module example, which is 
a simplified form of the module clocks used in the actual specification of 
the Interactive Convergence Clock Synchronization Algorithm. The module 
(which has no proof part) is shown in Figure 4.1 

4. 1.1. 3 Proofs 

EHDM proof declarations provide information that tells the EHDM theorem 
provers how to prove the formula concerned. There are two main theorem 
proving components in EHDM: the ground prover, and the proof instantia- 
tor . All the proofs described here were done with the ground prover. The 
following description covers both provers. 

A proof declaration in EHDM has the general form 

name: PROVE conclusion FROM premise!, premise2, premise3 
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example: MODULE 
USING time 

EXPORTING proc, clock, rho, Corr, adjusted WITH time 
THEORY 

proc: TYPE IS nat 
rho: number 

rho.pos: AXIOM half (rho) >» 0 

clock: function[proc , clocktime -> realtime] 

p : VAR proc 

T, TO, Tl, T2. TN: VAR clocktime 

goodclock: funct ion [proc , clocktime, clocktime -> bool] 

gc_ax: AXIOM 

goodclock(p, TO, TN) 

* (FORALL Tl, T2 : 

TO <= Tl AND TO <= T2 AND Tl <« TN AND T2 <«= TN 

IMPLIES abs(clock(p, Tl) - clock(p, T2) - (Tl - T2)) 
< mult (half (rho), abs(Tl - T2))) 

Corr: function [proc , period -> clocktime] 

zero_correction: AXIOM Corr(p, 0) « 0 

i: VAR period 

adjusted: function [proc , period, clocktime -> clocktime] ■ 
(LAMBDA p, i, T -> clocktime : T + Corr(p, i)) 

END example 

Figure 4.1: An Example EHDM Specification Module 
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where the conclusion and the premises (there can be any number of 
premises) are the names of formulas. This declaration indicates that the 
conclusion is to be proven to be a valid consequence of the premises — 
i.e., pi , P 2 , pz I - c in the conventional notation of logic. By the deduction 
theorem, this is equivalent to b Pi,P2>P3 3 c, which is equivalent to the 
unsatisfiability of 

-icApiAp 2 Ap 3 (4.1) 

The theorem provers of EHDM are refutation-based provers, and their 
strategy is to attempt to show that (4.1) (i.e., the conjunction of the premises 
and the negated conclusion) is unsatisfiable. The first step on the way to 
accomplishing this goal is to reduce (4.1) to an equivalent quantifier-free 
form by the process of Skolemization. The details of Skolemization are 
somewhat tedious to describe (see [14] for a general explanation) but the 
important point is that the existentially quantified variables in the premises, 
and the universally quantified and unquantified variables in the conclusion, 
are replaced by constants. 6 

If the remaining variables in the quantifier-free formula resulting from 
Skolemization are substituted with expressions made up of constants (such 
expressions are called ground terms), then (ignoring arithmetic for the mo- 
ment) the result will be a formula of the Propositional Calculus. Since 
Propositional Calculus is decidable, it can be readily determined whether 
this formula (which is called a ground instance of the original predicate calcu- 
lus formula (4.1)) is unsatisfiable. If it is, then so is (4.1) — which means the 
original theorem has been proven. If the ground instance is not unsatisfiable, 
it does not mean that (4.1) is unsatisfiable, nor that the original theorem 
is false — it means only that the particular set of ground substitutions cho- 
sen did not establish the theorem. However, by the Herbrand-Skolem-Godel 
theorem, we know that if the original theorem is valid, then there exists 
some set of substitutions that produces an unsatisfiable ground instance. 

The ground prover of EHDM is simply a decision procedure for the com- 
bination of propositional calculus with equality over uninterpreted function 
symbols, plus “extended quantifier-free Presburger arithmetic 7 for both the 
rationals and integers” [17]. Proof declarations for the EHDM ground prover 

6 This description ignores the effects of explicit and implicit negations (the latter are 
introduced by implications and equivalences). More precisely, it is the odd variables in the 
premises and the even ones in the conclusion that are replaced by constants — and those 
constants may be functions in the general case. 

7 This includes unary minus, addition and subtraction, multiplication by constants, 
equality and disequality, together with the relations <,<,>, and >. 
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must indicate the substitutions to be used to produce the ground instance 
that is submitted to the ground prover. Substitutions are indicated as fol- 
lows: 

name {vl <- el, v2 <- e2, ... , vn <- en} 

where name is a formula name appearing in a PROVE declaration as either the 
conclusion or a premise, the vi’s are substitutable (unSkolemized) variables 
of the formula, and the el’s are ground terms. For example: 

abs.proofO: PROVE abs_axO FROM abs_ax {a <- 0} 

Not all substitutions involve literal constants; most refer to the Skolem or 
substitution instances of variables in other premises or in the conclusion. 
The notation for this appends an “0” sign and a qualifier to the variable con- 
cerned. Thus the substitution x <- yGc means “substitute for x whatever 
is substituted for y in the conclusion,” and x <- y®p3 means “substitute for 
x whatever is substituted for y in the 3’rd premise.” More complex forms, 
such as x <- yfic+zflp3 are perfectly acceptable. When function variables 
are concerned, the substitutions may involve LAMBDA terms. 

The number of substitutions that must be given explicitly is greatly 
reduced by application of a number of default rules. If no qualifier is given 
(as in the substitution x <- y), then y is interpreted to mean “the instance 
of y in the conclusion, if there is one, otherwise the instance from this 
premise.” If no substitution at all is given for a variable, then (for the case 
of a variable x) the substitution x <- x is supplied automatically (and the 
interpretation of the missing qualifier will be supplied by the previous rule). 

This all sounds much more complicated than it really is. A typical proof 
(from the module time in the specification) is shown below: 

inRS_proof: PROVE inRS FROM Sdef, Rdef {PI <- R-S+PICpl}, SinR 

The mechanics of doing a proof in EHDM are that the user moves the cur- 
sor to the proof declaration of interest and presses the “prove” button. (The 
interface to EHDM is a screen editor with mouse-sensitive pop-up menus.) 
In the fullness of time, the system will report either “proved” (meaning just 
that) or “unproved” (meaning either that the theorem is false, or that it 
is true, but the premises and substitutions provided are not sufficient to 
establish that fact). There is no direct interaction with the ground prover; 
all the interaction is through the specification text (though there are some 
proof-debugging tools). In addition to the commands for performing a single 
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proof, there are commands for doing all the proofs in a module, or all the 
proofs in a module and all those modules that it uses. 

It will be clear from our description that the ground prover of EHDM 
is really a proof checker: all the creative work is in the selection of the 
premises and of the substitutions — and this is performed by the user. EHDM 
contains another theorem proving component called the instantiator that 
can perform some of these tasks automatically. Specifically, the instantiator 
tries to supply the substitutions needed to make a proof succeed. If it finds 
the correct substitutions, it can write them back into the specification text 
so that in future the ground prover will be able to perform the proofs on its 
own. 

The instantiator is a full first-order theorem prover: it can prove any 
true theorem of first-order predicate calculus. However, its effectiveness 
in finding suitable substitutions is considerably diminished in the presence 
of interpreted symbols, such as those for equality and arithmetic. (For 
example, it succeeds on only 4 of the 12 proofs in the module absolutes 
if all the explicit substitutions are deleted.) Since the specifications of the 
Interactive Convergence Clock Synchronization Algorithm make heavy use 
of arithmetic, we did not use the instantiator in this effort. The powerful 
arithmetic capabilities of the EHDM ground prover were crucial to our ability 
to perform this work. 

4. 1.1.4 Other Components of the EHDM System used in the Proof 

Proof Chain Checker. The notion of “proof” that is established by the 
EHDM theorem prover is a local one: it assures us that the conclusion is 
indeed a valid consequence of the premises. But it does not tell us whether 
those premises are axioms or theorems, and if the latter, whether or not 
they have been proved. This larger scale analysis is performed by an EHDM 
tool called the “Proof Chain Checker.” The Proof Chain Checker can be 
invoked with either a PROVE or a FORMULA declaration as its target. In the 
latter case, it first searches for a proof of the formula concerned; in either 
case it then recursively examines the status of all the premises named in the 
proof. Proof Chain Analyses for the clock synchronization conditions in our 
specification are given in Appendix C. 

Pretty printers. The written appearance of specifications has a significant 
impact on the ease with which they can be read, understood — and written. 
The concrete syntax of the EHDM specification language attempts to be close 
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to traditional mathematical and logical notation. A rather sophisticated 
prettyprinter helps ensure a uniform lexical style for specifications. The 
specification listings in Appendix D were produced by the prettyprinter. 

Even given the relatively straightforward concrete syntax of EHDM, it 
can still be hard to read specifications composed of long series of func- 
tion applications. Thus, we developed a table-driven “IATgX-printer” for 
EHDM that converts EHDM specifications into I^TgX input. This can then 
be processed by IATjjX to produce very readable specifications, with two- 
dimensional layout including sub- and superscripts and “mix-fix” function 
symbols. For example, a functional expression in EHDM 

abs(c(p, i. T) - c(q, i, T) ) 
can be converted to the more comprehensible notation 

i4°( r ) - 4°( r )i- 

When a function name is used alone (for example, in a declaration), it is 
printed as a template indicating argument positions. Thus, for example, 

^*1 (* 3 ) : function [proc , period, clocktime — ► clocktime] 

makes it clear that the first argument will appear as a subscript, the second 
as a parenthesized superscript, and the third in normal parentheses. We ex- 
pect this tool to become a very useful addition to the EHDM environment, 
since it greatly assists the reading of specifications and should thereby con- 
tribute greatly to the peer review and evaluation of EHDM specifications. 
The I^TgX-printed version of the example from Figure 4.1 is shown in Fig- 
ure 4.2. 

We used the I^TgX-printer to convert our EHDM specifications into the 
exact notation used by Lamport and Melliar-Smith; the listings in lATgX 
form are given in Appendix B. The translations used for the EHDM identi- 
fiers are displayed in Table A.l of Appendix A. 

Cross-Reference Tools. There are nearly 300 EHDM identifiers declared 
in our specification of the Interactive Convergence Clock Synchronization 
Algorithm. Keeping track of the declarations and uses of these identifiers 
could become quite burdensome, so the EHDM environment provides simple 
cross-reference functions to assist in this task. Two of these functions allow 
the user to locate and jump to the declarations and uses, respectively, of a 
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example: Module 
Using time 

Exporting proc, c*!(*2), p, c£ 2) , A^ 2) (* 3 ) with time 
Theory 

proc: TYPE IS nat 
p: number 

rho.pos: Axiom £ > 0 

c*i(*2): function[proc, clocktime — ► realtime] 
p : VAR proc 

T, To, Ti, T 2 , Tff. VAR clocktime 

goodclock: function [proc, clocktime, clocktime — ► bool] 

gc.ax: Axiom 

goodclock (p, T 0 , Tff) 

= (VT! ,T 2 : 

T 0 < Ti A T 0 < T 2 A Ti < T n A T 2 < T n 

D Ic^Tj) - c p (T 2 ) - (Ti - T 2 )| < f x |Tj - T 2 |) 

function [proc, period — ► clocktime] 

zero_correction: Axiom Cp^ = 0 
t: VAR period 

J (*3): function [proc, period, clocktime — » clocktime] = 

( A p, i, T— + clocktime : T + Cp 

End example 


Figure 4.2: M^X-printed Example EHDM Specification Module 
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given identifier; the third provides a tabular cross-reference to all declara- 
tions in a given EHDM library. (EHDM allows specification modules to be 
collected into “libraries” and manipulated as a group.) 

The table produced by this third function of the EHDM cross-reference 
tool is given in Tables A.2 to A. 14 in Appendix A. 

4.2 The Formal Specification and Verification of 
the Algorithm 

A formal specification generally divides into two components: one directly 
concerned with the problem at hand, and another in which are developed 
all the “supporting theories” needed in the first but peripheral to its main 
purpose. The supporting theories provide the “background knowledge” that 
we would like to be able to assume in order to get on with the main problem. 
With a formal specification system, the built-in “background knowledge” is 
generally very limited (usually it is little more than predicate calculus with 
equality) and the construction of explicit specifications for the supporting 
theories may often consume the greater part of a specification effort. It 
has been recognized for a long time that the development of certified li- 
braries of generally useful supporting theories would be one of the most 
useful contributions to reducing the cost and increasing the reliability of 
formal specifications. The module library mechanism of the EHDM system 
provides a suitable framework for standard modules; however, the libraries 
have not yet been populated. 

Examination of Chapter 2 will show that the background knowledge 
used in the specification and analysis of the Interactive Convergence Clock 
Synchronization Algorithm includes a significant amount of arithmetic, in- 
cluding inequalities, absolute values, and summations, but not much else. 
Since we define a good clock without recourse to differentiation, we avoid 
the need for real numbers and can use the rationals to represent time. 

As mentioned earlier, integer and rational arithmetic are built into 
EHDM. Thus, the only supporting theories for arithmetic that we need to 
specify explicitly are those for absolute values and for summation. Because 
EHDM uses a higher-order logic, induction schemes are provided axiomati- 
cally, rather than being built in as rules of inference; consequently, we will 
also need a supporting theory to provide a suitable induction axiom. 

Our specification and verification of the Interactive Convergence Clock 
Synchronization Algorithm is described in the three subsections following. 
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First we describe the EHDM modules that provide the supporting theories, 
then those that build up the specification of the Algorithm, and finally those 
that develop the proof that the Algorithm maintains synchronization. List- 
ings of the specification modules described here are given in IATgX-printed 
form in Appendix B and in raw form in Appendix D. Cross-references are 
provided in Appendix A. 

4.2.1 Supporting Theories 

Seven modules provide supporting theories for the specification. 

4.2. 1.1 Absolutes 

Absolute values are used extensively in the specification. It would be entirely 
feasible to specify the absolute-value function in EHDM by the definition 

a: VAR number 

abs: function [number -> number] ■ 

(lambda a -> number: if a<0 then -a else a end if) 

However, this would result in the definition being expanded everywhere it 
appeared which would work, but would slow the theorem prover down 
considerably. 8 Thus we chose to specify the abs function by means of an 
explicit axiom, so that we could control when the definition is expanded. 

a: VAR number 

abs: function [number -> number] 

abs.ax: AXIOM abs (a) - if a<0 then -a else a end if 

We could have stopped there, but decided it would be preferable to build up 
a collection of useful proved results about the abs function. We were partly 
motivated by concerns for theorem proving efficiency, and partly by a desire 
to make our proofs as readable as possible. For example, if a proof needs 
the property \x -f- y| < |x| -f- j y | , it is not only more efficient to supply this 
to the theorem prover explicitly (rather than merely provide absjuc), but 
it also makes it easier for a reader to follow the proof. This use of derived 
properties (rather than referring everything back to definitions) is, of course, 
quite normal in traditional mathematical presentations. A collection of some 
dozen elementary results of this kind are collected and proved in the module 
absolutes. 

For example, expanding the definition of abs will only complicate the proof of the 
formula a=b IMPLIES ab8(a)=abs(b). 
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In addition, the module absolutes contains two axioms that state prop- 
erties of the absolute value function in the presence of multiplication and 
division: 

abs.times: AXIOM abs(a*b) = abs(a) * abs(b) 

abs.div: AXIOM b /- 0 IMPLIES abs(a / b) - abs(a) / abs(b) 

As explained in more detail in the following subsection, multiplication and 
division are largely uninterpreted in EHDM so it is necessary to introduce 
properties such as these either by means of explicit axioms, or as derived 
consequences of a more primitive axiomatization for multiplication and di- 
vision. We have chosen the former course. 

4.2.1.2 Arithmetics 

Although we said earlier that most of the arithmetic needed was built- 
in to EHDM, we were not quite telling the truth. EHDM supports linear 
arithmetic — that is multiplication by constants only. Several of the formulas 
and constraints needed in the specification and verification of the Interac- 
tive Convergence Clock Synchronization Algorithm require use of nonlinear 
multiplication, and also division — e.g., terms such as appear in the 

constraint C6. 

Although it has a special syntactic form (the infix /), division is unin- 
terpreted in EHDM — the user must supply appropriate axioms just as if it 
were a newly introduced function. Ideally, EHDM should provide a library 
module containing a “standard” axiomatization for division, but this is not 
done at present. Accordingly, we provide some ad hoc axioms for division 
in the module arithmetics. These axioms and the lemmas derived from 
them are adequate for the present purpose, but we have made no attempt 
to construct a minimal or a complete set. The three axioms that we use are 
shown below (the axiom absjdiv in module absolutes is also relevant). 

quotient.ax: AXIOM y /= 0 IMPLIES x/y-x* (1/y) 
quotient_axl : AXIOM x /*= 0 IMPLIES x / x ■ 1 
quot ient_ax2 : AXIOM z > 0 IMPLIES 1 / z > 0 

Several additional properties of division are stated and proved from these 
axioms. 

Multiplication by literal integer constants is treated as repeated addition 
by EHDM, and the ground theorem prover is able to fully decide formulas 
containing such constructs. Nonlinear multiplication can also appear in 
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EHDM specifications, but is treated as an “almost” uninterpreted function. 
It might be better, in fact, if it was completely uninterpreted — so that the 
user could supply and invoke appropriate multiplication axioms under ex- 
plicit control. As it is, the ground prover of EHDM contains heuristics that 
enable it to prove certain results involving nonlinear multiplication, but 
these heuristics render the ground prover incomplete (i.e., it is no longer a 
decision procedure ) 9 — which is unacceptable, given the proving paradigm 
used in EHDM. 

Consequently, the ground prover contains conservative checks that abort 
the proof if there is any possibility that the presence of nonlinear multipli- 
cation will take it beyond its domain of completeness. The only thing to do 
when a proof aborts in this way is to define a new, uninterpreted multipli- 
cation function and use that instead of the built-in function when nonlinear 
multiplication is required. The semantics of the new multiplication function 
have to be provided by explicit axiomatization . 10 

Thus, in the module arithmetics, we define a function mult on the 
rationals and give it the semantics of multiplication by the axiom 
mult_ax: AXIOM mult(x, y) - x * y 
We introduce two additional axioms 

multi: AXIOM x >« 0 AND y >« 0 IMPLIES mult(x, y) >* 0 
mult_mon: AXIOM x < y AND z > 0 IMPLIES mult(x, z) < mult(y, z) 

since attempts to derive these results from the first cause the prover to abort 
and report that it is outside its domain of completeness. Several additional 
properties of mult are stated and proved from these two axioms. 

The quantity £ appears frequently in the proof. We encode this in the 
function half defined by the following axiom: 
half _ax: AXIOM half (x) «= x/2 

We also state and prove a couple of derived properties of this function. 

The module arithmetics is completed by the statement and proof of 
two arithmetic identities (rearrange and rearrange_a.lt) that are used in 
a couple of other modules. Several other arithmetic identities of this form 
are used only once each and are stated and proved in the modules where 
they are required. 

°There is no complete decision procedure for arithmetic with multiplication and there 
is no syntactic characterization for the fragment of nonlinear arithmetic that is decided 
by the EHDM ground prover. 

10 We are actively considering changes in the way EHDM handles nonlinear multiplication 
as part of a review of the prover strategies. 
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4.2.1.3 Natprops 

EH DM does not define a subtraction operator on the natural numbers. The 
naturals are treated as a subtype of the integers in EHDM, so that the ex- 
pression n - m, where n and m are naturals, is interpreted by coercing those 
values to type integer, and then applying the integer subtraction opera- 
tor to yield an integer result. In our treatment of summations, we need 
subtraction-like operators on the naturals, and these are defined axiomati- 
cally in the module natprops. The predecessor function, pred, and a sub- 
traction function diff are defined as follows: 

pred: function [nat -> nat] 

pred.ax: AXIOM n /= 0 IMPLIES pred(n) - n - 1 

diff: function [nat , nat -> nat] 

diff_ax: AXIOM n >= m IMPLIES diff (n, a) - n - m 

Several derived properties of these two functions are stated and proved in the 
module natprops. In addition, we assert that the naturals are nonnegative 
using the following axiom: 

natpos: AXIOM n >= 0 

This is necessary because EHDM treats the naturals as simply a subtype of 
the integers that is closed under addition; no other properties of the naturals 
are built into the prover. 


4.2.1.4 Functionprops 

The module functionprops defines the (higher-order) axiom of function ex- 
tensionality. This is required for one of the proofs in the module sigmaprops. 
We define this axiom for functions of exactly the signature we require (i.e., 
nat -> number) rather than for the more general case (i.e., number -> num- 
ber) because the present version of the EHDM typechecker does not handle 
higher-order subtypes. 

F, G: VAR function [nat -> number] 
x: VAR nat 

extensionality: AXIOM (FORALL x : F(x) - G(x)) IMPLIES F = G 
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4.2. 1.5 Natinduction 

The module natinduction provides a higher-order axiom called indue - 
tion_m used for inductive proofs. The axiom states a principle of simple 
induction on the naturals using a predicate variable prop. 

induction: AXIOM 
(prop(m) 

AND (FORALL i : i >- m AND prop(i) IMPLIES prop(i +1))) 
IMPLIES (FORALL n >« m : prop(n)) 

Informally, it says that if prop is true for m, and prop(i) implies prop (i+i), 
for arbitrary i >= m, then prop is true for all natural numbers n >= m. 
Two special cases of this induction scheme are then introduced as lemmas: 
induction is the case m * 0 and corresponds to the standard induction 
scheme over the naturals; induction.1 is the case m ■ 1. 

Module natinduction also introduces modified induction schemes called 
mod-induction and mod_inductionl that are stated as lemmas and proved 
from the basic inductionjn axiom. The modified scheme nod-induction is 
used in the proof of Theorem_l and is specialized for the proof of predicates 
of the form A(i) D B(i). The inductive step in such cases has the form 

(A(i)DB(i))D(A(i+l)DB(i + l)). 

This is equivalent to 

((A(.)3B(t))AA(.'+l))DB(,' + l) 

which, when we know in addition that A(i -+* 1) D A(t), reduces to 

(A(i+l)AB(t))DB(i + l). 

This is the form for the inductive step that is stated in mod_induction and 
proved in mod_induction_prool. The lemma mod_inductionl is derived in 
a similar fashion. 

Another induction scheme is introduced as an axiom: indue tion2 is 
used in the proof of sigma_xev in module sigmaprops and is specialized for 
the case when the proposition to be proved takes two arguments, and the 
induction is over the second. It can be derived from the standard induction 
scheme, with the addition of quantification over the first argument. 
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4.2. 1.6 Sums and Sigmaprops 

Choosing how primitive the axiomatic basis for a supporting theory should 
be is a matter of taste, conscience, and the time and funds available. Ideally, 
each supporting theory should be built up from a small and primitive set 
of self-evident, well-accepted axioms. Unfortunately, it may then require 
a considerable expenditure of time and effort to build the body of verified 
lemmas and theorems for the supporting theory that are needed to solve the 
actual problem at hand. The alternative is to simply assert as axioms the 
results that are actually needed from the supporting theory. The danger here 
is self-evident — it is remarkably easy to state plausible, but false axioms. 

When formal specification and verification is practised more widely, we 
would expect that verified libraries of common supporting theories will be 
available. In the meantime, we are confronted with a dilemma: either build 
up the supporting theories from primitive axioms — and risk never getting to 
the original problem of interest, or else concentrate on the original problem — 
and risk building on sand. We pursued a variant of the second course in 
developing this proof of the Interactive Convergence Clock Synchronization 
Algorithm. In order to make progress on the main problem, we adopted ex- 
pedient axioms at first, then as time has permitted, we went back to develop 
the supporting theories with greater care and with a view to incorporating 
them in libraries. 

Our first verification of the Interactive Convergence Clock Synchroniza- 
tion Algorithm used high-level axiomatizations of the concepts of summa- 
tions and means from the module sums. Later, we developed a module 
sigmaprops that establishes results very similar to those used in sums as 
verified consequences of very primitive definitions. Later still, we replaced 
all the axioms in module sums by equivalent lemmas that are proven from 
those in sigmaprops. When time permits, we may make a final revision to 
these parts of the specification in order to render them suitable for inclusion 
in a library. 

Sums. The module sums introduces two higher-order functions, called sum 
(I^£i(*3)) and mean (©*i(*3)), respectively. Each takes three arguments: 
the first two are natural numbers, and the third is a function from the 
natural to the rational numbers. The intended interpretation for sum is that 
it sums the function supplied as its third argument from the value supplied 
as its first argument to that supplied as its second. That is, in conventional 
mathematical notation, 
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i 

Bum(i, j , F) = ^F(r) 

r~\ 

If 3 < «, the value of sum is intended to be zero. The actual definition of 
the function sum is accomplished by the axiom sum^ax in terms of the more 
primitive function sigma which is described in the next subsection. 

The axiom mean-ax specifies the (arithmetic) mean function in terms of 
the sum function in the obvious way. The lemma mean JLemma simply restates 
the definition of mean directly in terms of the more primitive function sigma. 
Ten further lemmas then introduce additional properties of the sum and mean 
functions. 

The first, split _sum, states that under suitable conditions a summation 
from t to j is equal to the sum of two smaller summations: one from t to 
k y and the other from k + 1 to j. split jne an, the corresponding result for 
mean, is proved directly from split-sum. 

Lemma sumJbound says that if a function is bounded by a constant x 
throughout the range t to j, then its summation over that range is bounded 
by xx (j — t + 1); the lemma mean_bound states the corresponding result 
for the mean function and is proved from sumJbound. 

The lemmas mean^const and meanjault simply state that the mean of 
a constant is that constant, and that the mean of a function multiplied by a 
constant is the same as the mean of the function multiplied by the constant. 
Mean_sum and mean_diff state that the mean of the sum or difference of 
two functions are equal to the sum or difference of the means. Abs_mean 
states that the absolute value of a mean is less than or equal to the mean of 
the absolute values. Finally, rearrange_sum states a simple property that 
is needed in module summations. 

The lemmas in module sums are derived from similar results stated for 
the more primitive sigma function in the module sigmaprops, which is 
described next. 

Sigmaprops. The module sigmaprops introduces a function sigma 
(c(*l, *2, *3)) similar to sum described above. The significant difference, 
however, is that whereas sum(i , j , F) is intended to denote the sum of F 
from i to j, a(i, n, F)is intended to denote the sum of F from i to i + 
n - 1 (i.e,, the sum of n terms). 

Sigma is defined by the recursive definition sigmajax and seven lemmas 
concerning this function are then stated and proved. The names used for 
the lemmas are in correspondence with those used for the lemmas in sums: 
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for example, split-sigma in sigmaprops corresponds to split-sum and 
split-mean in sums. The proofs in sigmaprops mostly use induction; the 
induction schemes employed are from the module natinduction. 

Some of the proofs in sigmaprops use a function revsigma which is 
defined like sigma, but with the recursion going in the opposite direc- 
tion. A lemma called sigma-rev proves that these two functions are ex- 
tensionally equal. A second function, called bounded, also used internally 
by sigmaprops is introduced and defined by the axiom boundedjax. Since 
they are used only by the proofs in sigmaprops, it might be preferable if the 
declarations of revsigma and bounded, together with the axioms that define 
these functions, were placed in the proof part of the module, rather than 
the theory part. However, EHDM does not allow axiom declarations in the 
proof section of a module. (Additional axioms change the theory, which is 
supposed to be specified by the theory part.) The definitions for revsigma 
and bounded could be moved to the proof section only if they were declared 
as formulas; the proof chain checker would then report a dependency on 
unproved formulas. A planned extension of the language by a facility for 
defining auxiliary concepts will solve this dilemma. 


4.2.2 Specification Modules 

The specification of the Interactive Convergence Clock Synchronization Al- 
gorithm is performed in three modules described below. 


4.2.2. 1 Time 

The module time is the first one that introduces concepts directly concerned 
with the Interactive Convergence Clock Synchronization Algorithm. It in- 
troduces clocktime, realtime and period as types, and establishes the 
rationals as the interpretation of the first two, and the naturals as the inter- 
pretation of the third. R, S, and T.ZER0 (T°) are introduced as constants 
of type clocktime, and then the functions T_sup (T^* 1 )), in_R_interval 
(*1 € and in_S interval (*1 € S^* 2 )) are introduced and defined 

(by the axioms T_sup_ax, Rdel, and Sdef) in the obvious way. 

The constraint Cl (R >= 3 * S) is defined here, and also the axioms 
posR and posS which assert that R and S are both greater than zero. Several 
straightforward lemmas are stated and proved. 
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4.2. 2.2 Clocks 

The module clocks introduces proc (short for processor) as a type in- 
terpreted by the naturals, and introduces the clock, correction, adjusted- 
value, and logical clock functions: clock (c*j(*2)), Corr (c£ 2) ), adjusted 

(Ai an d rt (cj^ ^(*3)), respectively. The third of these is given an 

interpretation in terms of the second. The fourth is defined axiomatically 
(so that we can control its application) in terms of the first and third. 

Next, the drift rate rho (p) is introduced as a constant of type ratio- 
nal number, together with the predicate goodclock. The intention is that 
goodclockCp, T1 , T2) will be true when processor p is a good clock in the 
clock time interval [T1 , T2] . This is specified in the axiom gc jx. Finally, 
the predicate nonfaulty is introduced and the assumption A1 is stated. 
Whereas the informal statement of A1 says that if p is nonfaulty through 
period s , then (this implies that) p has a good clock during the correspond- 
ing interval, the formal definition uses equivalence instead of implication. 
This is necessary because we will later need to prove that if p is nonfaulty 
through period i + 1, then it is also nonfaulty through period t. 

Our definition of goodclock implies that a good clock is strict monotonic 
increasing. This fact is stated as the Theorem monotonicity and proved in 
the proof part of module clocks. 

4.2. 2.3 Algorithm 

The heart of the Interactive Convergence Clock Synchronization Algorithm 
is defined in the module algorithm. We introduce n and n as constants of 
type proc, and assert that n is nonzero (axiom CO_a) and that 0 <« m < n 
(axiom CO_b) . The constants eps (e), deltaO ( 6 0 ), delta ( 6 ), and Delta 
(A) are introduced and the constraints C2 to C6 are stated. The constraint 
that Delta be strictly positive is also stated (as axiom CO_c). 

Next, the functions Deltal (a£ 1} ), Delta2 (A<**] 2 ), and D2bar (A^z) 
are introduced, and the Interactive Convergence Clock Synchronization Al- 
gorithm itself is specified in the three axioms Algl , Alg2, and Alg3. 

The clock synchronization conditions are specified next. First, we define 
a function skew: skew(p, q. T, i) is the skew between the logical clocks 
of processors p and q in period i at clock time T (i.e., |c^(T) - c^(T)|). In 
the traditional mathematical presentation, we identified SI with the require- 
ment that the skew between nonfaulty processors should always be less than 
6. However, we also need to consider the condition under which this bound 


58 


Chapter 4. Formed Specification and Verification in EHDM 


should hold — namely that there should be at most m faulty processors. We 
regard this condition as the antecedent to SI and identify it with the predi- 
cate S1A; the bound on the skew between the clocks of nonfaulty processors 
we consider the consequent of SI and identify it with the predicate SIC. The 
axiom SICdef states the bound on the acceptable skew between nonfaulty 
processors p and q in period i, while the axiom SlAdef states the require- 
ment that there should be at least m-n processors nonfaulty through that 
period. The specification of this last requirement: 

(FORALL r: (m+1 <= r AND r <= n) IMPLIES nonfaulty(r, i)) 

assumes that it is those processors numbered m + 1 . . . n that are the non- 
faulty ones. Clearly there is no loss of generality in this. 

The clock synchronization condition S2, which is identified with the pred- 
icate S2, is defined in the axiom S2_ax. 

Finally, the two theorems which assert, respectively, S1A D SIC and S2 
are defined. The proof of the latter is simple and is performed directly in 
the proof part of the module algorithm. 

4.2.3 Proof Modules 

The proof of Theorem .2 (the Interactive Convergence Clock Synchronization 
Algorithm maintains the clock synchronization condition S2) is provided 
directly in the module algorithm. The proof of Theorem_l (the Algorithm 
maintains clock synchronization condition Si) spans 10 modules that are 
described below. 

4.2.3.1 Clockprops 

The module clockprops is chiefly concerned with establishing some bounds 
on Ap\T + II) that are needed to establish Lemma 2. These bounds are 
stated as the lemmas upper-bound, lower-bound, and lower_bound2. A 
subsidiary lemma called adj _always_pos is also stated; it is used in the proof 
of lower-bound, which in turn is used to establish lower_bound2. The proof 
of adj .always .pos itself requires an induction. The proof of upper-bound, 
on the other hand, is straightforward. 

The two lemmas nonfx and SlA-lemma complete the module clock- 
props. The first states that if a module is nonfaulty through period i + 1, 
then it is certainly nonfaulty through period i. This is established as a con- 
sequence of A1 and the definition of a good clock (gcjoc). SlA_lemma states 
the corresponding result for S1A, and is proved directly from nonfx. 
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4.2. 3. 2 Lemmas 1 to 6 

These follow exactly the structure and naming described in Chapter 2. In- 
deed, the description in that chapter was derived directly from the formal 
specifications and proofs in these six modules. 

Each lemma is stated and proved in a module with the appropriate 
name. The result called Sublemma A is to be found as a subsidiary lemma 
sublemma_A in the module lemma6. 

4.2. 3. 3 Summations 

The module summations is concerned with establishing the inductive step 
needed in the proof of Theorem_l. This result is stated as the lemma called 
culmination, and is proved from a series of intermediate lemmas named 11 
through 15. 

The lemma 11 connects the main term in the conclusion of Lemma 6 
with the averaging step performed by the Algorithm (specified in Alg2). 
Lemma 12 splits the summation implicitly involved in 11 into two smaller 
summations — one over the faulty processors and one over the nonfaulty ones. 
Lemma 13 uses Lemma 5 to obtain a bound on the sum of the errors intro- 
duced by the faulty processors; a subsidiary lemma called bound-faulty is 
used in the process. 

Lemma 14 uses Lemma 4 to obtain a bound on the sum of the er- 
rors introduced by the nonfaulty processors; a subsidiary lemma called 
bound_nonfaulty is used in the process. The proof of this lemma uses 
Theorem_l; we discuss this below (on Page 60). 

Lemma 15 simply combines lemmas 12, 13 and 14; the culmination 
lemma is proved by combining 15 with Lemma 6. 

4. 2. 3.4 Juggle 

The module juggle proves the lemma re arrange .delta. This result is a 
straightforward algebraic manipulation and is quite simple to do by hand. 
Its proof in EHDM, however, is rather tedious. The source of the difficulty 
is the appearance of nonlinear multiplication. As explained earlier, the 
EHDM ground prover is incomplete in the presence of nonlinear arithmetic. 
Consequently, the module juggle contains several lemmas that essentially 
switch between the interpreted multiplication symbol and the uninterpreted 
mult function in order to establish some simple arithmetic identities. The 
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main proof is then accomplished in 6 steps using intermediate lemmas named 
stepl through step5. 

4.2.3. 5 Main 

The module main provides the proof of Theorem_l. It uses the induction 
scheme mod_induction from the module nat induct ion, with the main work 
for the inductive step provided by the culmination lemma from module 
summations. The rather grotesque arithmetic manipulation required to 
complete the proof is provided by the lemma re arrange jdelta from the 
module juggle. 

As noted above, the inductive proof of Theorem_l depends on the lemma 
culmination from the module summations. The proof of culmination de- 
pends on the lemma bound jioniaulty, whose own proof depends on The- 
orem-1. Thus, there is a potential circularity in our proof of the theorem — 
which is indeed detected by the EHDM proof chain checker. In fact, this 
circularity is apparent, rather than real, as it occurs in the context of an 
inductive proof, in which the theorem is used for i in the part of the proof 
that extends it to i + 1. We are working towards constructing a proof 
description that reflects this induction step more straightforwardly. 

4.3 Statistics and Observations 

The specification and verification described here was performed using EHDM 
Version 4.1.4 running on a Sun workstation. EHDM is written in Common 
Lisp; the current version for Sun workstations uses the Lucid 2.1 Common 
Lisp implementation. The particular workstation used for this exercise was 
a Sun 3/75 with 8 Mbytes of real memory and 56.5 Mbytes of swap space 
on a lightly loaded Sun 3/160 file server with Fujitsu Eagle and Super-Eagle 
disk drives and slow Xy logics controllers. 

The specifications described here occupy 20 modules, comprising about 
1,550 (nonblank) lines of EHDM. There are 166 proofs in the full speci- 
fication and it takes about an hour to prove them all (a little under 18 
seconds each, on average). It is hard to obtain accurate timing for individ- 
ual proofs, since the occurrence of garbage collection introduces tremendous 
variability — however, the worst case seems to be about a minute and a half. 

The proofs in each module are summarized in the table below, which 
reproduces part of the output from the EHDM “proveall” command. 
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Module absolutes: 

12 proofs 

Module algorithm: 

5 proofs 

Module arithmetics: 

25 proofs 

Module clockprops: 

12 proofs 

Module clocks: 


2 proofs 

Module functionprops: 

no proofs 

Module juggle: 


14 proofs 

Module lemmal: 


1 proof 

Module lemma2: 


5 proofs 

Module lemma3: 


1 proof 

Module lemma4: 


6 proofs 

Module lemma5: 


3 proofs 

Module lemma6: 


4 proofs 

Module main: 


3 proofs 

Module natinduction: 

5 proofs 

Module natprop: 

3 : 

7 proofs 

Module sigmaprops: 

28 proofs 

Module summations: 

9 proofs 

Module sums: 


19 proofs 

Module time: 


6 proofs 


Table 4.1: Proof Summaries for EHDM Modules 
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Of course, the raw statistics of CPU time and numbers of proofs and 
lines of specification text are among the most superficial measures one can 
provide for a formal specification and verification. More interesting are the 
questions of how much human effort was required, whether the benefits of the 
exercise could have been obtained more cheaply by other techniques, and 
whether the particular specification and verification techniques and tools 
used were a help or a hindrance to the effort. 

Unfortunately, we did not accurately record the human effort expended 
on this exercise, so the following account relies on memory. Our first attempt 
to perform the verification occupied a week, with both of us devoting about 
three-quarters of our time to the effort. One of us broke the published proof 
of Lamport and Melliar-Smith down into elementary steps, while the other 
encoded these in EHDM and persuaded the theorem prover to accept the 
proofs. At this point we had caught the typographical errors in Lemmas 2 
and 4, and had proofs of Lemmas 1, 3, 4, and 5 — but Lemma 2 was essentially 
taken as an axiom. Approximate equality and inequalities were used freely 
at this stage, although several of the formulas needed were mentally flagged 
as suspicious. 

It was when we attempted to establish Lemma 2 as a consequence of a 
more primitive axiomatization of the properties of good clocks that we first 
came to suspect that the published proof was flawed. Once we had satisfied 
ourselves that this was indeed so, we became more critical of other aspects 
of the published proof and checked all the formulas (treated as axioms at 
this stage) needed to support the use of approximations. This led us to 
fully recognize the flawed character of the proofs for Lemma 4 and the main 
Theorem. 

Until this point we had merely been attempting to mechanize the pub- 
lished proof, and had not really internalized that proof, nor tried indepen- 
dently to re-create it. As a result of discovering flaws in the published proof, 
our interest in the verification exercise increased considerably and w r e sought 
not only to eliminate the use of approximations, but to simplify and system- 
atize the proof as well. The elimination of approximations was accomplished 
quite easily, and simplification of the proofs of Lemmas 1, 3, 4 and 5 was 
achieved by more systematic use of the arithmetic “rearrangement” identi- 
ties (e.g., x = (ti — v) + (v - u;) - (u — [tu + x]) used in Lemma 1). All this 
work was done by hand, and only cast into EHDM and mechanically verified 
towards the end. 

Our restructuring and better understanding of the proofs reduced the 
EHDM proof declarations for Lemmas 3 and 4 to between a half and a third 
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of their previous lengths (elimination of the unnecessary II from Lemma 
3 also contributed to the simplification of its proof). It was during this 
stage of the mechanical verification, that we recognized the need for several 
variants on Lemma 2, and for modifications to Assumption A2. This stage 
of the effort (including the manual reformulation of the proof, as well as its 
mechanization) consumed about three man- weeks. 

Next we mechanized the proof of the main theorem, developing the mod- 
ules lemma6, summations, and main. The formulas in module sums were 
developed while doing the proofs in module summations and were used as 
axioms at this stage — which consumed about two-man weeks. 

Finally, we began to put the whole verification together and to prepare 
this document. We developed the module sigmaprops and used it to prove 
the previously unproved formulas in module sums. We discovered several mi- 
nor flaws in the statements of those formulas while performing their proofs. 
As we began to describe and document our specifications and proofs, we 
filled in missing fragments (e.g., the module juggle, which took a man-day 
to create), and continually revised the modules of the supporting theories 
in order to simplify and systematize the axiomatic basis on which the whole 
verification depends. This process proceeded in parallel with the preparation 
of this report — both activities together consumed about two man-months. 

We have described the chronology of this effort in some detail to illustrate 
the following points: 

• The mechanical verification was interleaved with pencil and paper 
mathematics, and each activity stimulated the other. We expand on 
this below, but the essential point is that formal specification and 
verification assists rather than replaces human thought and scrutiny. 

• A substantial portion of the time devoted to the mechanical verifica- 
tion was expended on the supporting theories. As formal verification 
becomes more widely practiced, we would expect libraries of such the- 
ories to become established, so that later efforts can concentrate their 
efforts on the problem of real interest. 11 If we neglect the effort spent 
on the supporting theories, then the time required to perform the me- 
chanical verification was of a similar order to that required to prepare 
an adequately detailed “journal-level” description and proof for human 
consumption (i.e., the first 3 Chapters of this report). 

n EHDM provides linguistic and system support (in the form of module parameterization, 
and a mechanism for managing module libraries, respectively) that are explicitly intended 
for the support of reusable specifications. 
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• “High-level” axioms are almost always wrong! The main benefit of 
mechanical verification is the extreme rigor of the scrutiny to which 
proofs are subjected. This benefit is subverted if axioms are intro- 
duced casually. It was not until we attempted to build our proofs on 
the most basic definition of a good clock, and seriously scrutinized 
the lemmas required of the approximation operators, that we began 
to discover the flaws in the published proof. Similarly, our first-cut 
axiomatizations of the summation operators were flawed (typically at 
boundary cases). Others who have undertaken formal specification 
and verification exercises have privately reported similar experiences. 

Our current verification depends on 47 axioms. Of these, 29 (6 in 
module time, 6 in clocks and 17 in algorithm) define the concepts, 
constraints, and algorithm of direct interest. The other 18 introduce 
supporting concepts (e.g., summation) or properties of arithmetic be- 
yond those built into the system (i.e., some of the properties of division 
and multiplication). We spent a great deal of effort reducing the num- 
ber and simplifying the content of these 18 supporting axioms and we 
believe that they correspond to conventional interpretations of the con- 
cepts concerned. Similarly, we believe that the 29 axioms underlying 
our development of the Interactive Convergence Clock Synchroniza- 
tion Algorithm are a simple and near-minimal foundation on which to 
construct the definition and analysis of this algorithm. 

It is always necessary to scrutinize axioms with great care, and we 
believe that this can best be accomplished if the axioms are as simple 
and as few as feasible. Our experience suggests that it can be very 
time-consuming to pare away at the axiomatic foundation of a proof, 
but that it is very worthwhile to do so. 

It is difficult to answer the question whether the flaws we found in the 
published analysis of the Interactive Convergence Clock Synchronization 
Algorithm could have been discovered more easily by other methods. Once 
the flaws are known, they are easy to describe and their presence in the 
published proof is almost painfully obvious. Nonetheless, as far as we know, 
these flaws were not discovered previously. The reputation of the journal 
in which the paper was published, and of its authors, may have caused 
some to assume that the proof “must be right” without further scrutiny, 
and may have stilled any doubts in the minds of those who examined the 
proof in sufficient detail to become concerned by some of its details. Some 
who scrutinized the proof with great care decided that it would be easier to 
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develop their own analysis than to persuade themselves of the veracity of 
the original. 12 

The root difficulty, we believe, lies in the fact that the proof in [11], 
though neither mathematically deep nor intrinsically interesting, is aston- 
ishingly intricate in its details. The analysis of many algorithms, computer 
programs, and similar artifacts shares this characteristic — and renders the 
standard “mathematical demonstration” (which forms the basis for the con- 
sensus model of classical mathematics) unreliable in these contexts. 

The only reliable method for conducting such highly intricate analyses 
is, we believe, a strictly formal one — one in which the “symbols do the work” 
just as they do in arithmetic and other detailed calculations. Formal cal- 
culations can introduce their own class of errors, but their formal character 
means that they can be checked easily (if tediously) by others. Once the 
decision to use a strict formalism has been taken, the additional cost of sub- 
jecting the calculations to mechanical checking is not great — providing the 
formal system and notation used by the machine does not differ too much 
from that used by the hand and brain. 

We found that EHDM served us very well from this perspective. Because 
EHDM uses a standard logic (predicate calculus) with all the usual quan- 
tifiers and connectives, transliterating from the notation of Lamport and 
Melliar-Smith into the specification language of EHDM was straightforward. 
Automation of the reverse translation (by the I^TjjX-printer) enabled us to 
do most of our work and thinking using compact and familiar notation and 
thereby contributed greatly to our productivity. The higher-order capabili- 
ties of EHDM allowed us to define the summation and averaging operators 
very straightforwardly and also enabled us to tailor induction schemes ap- 
propriately. 

The arithmetic decision procedures of EHDM were of immense value in 
the formal verification. We doubt that verification environments lacking 
such decision procedures could accomplish the work described here without 
unreasonable effort. Most of the really tedious theorem proving that we 
undertook arose at the boundary of the arithmetic decision procedures (i.e., 
in dealing with division and non-linear multiplication). There is no perfect 
solution to these difficulties (the theories concerned are undecidable), but a 
better integration of decision procedures, incomplete heuristics, and man- 
ual guidance is both possible and desirable — and will be pursued in further 
developments of EHDM. We found the basic theorem-proving paradigm of 

12 Fred Schneider has told us that this was one of the motivations behind [15]. 
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EHDM straightforward and adequate for its purpose (though others, espe- 
cially novices, might not agree). The correspondence between the informa- 
tion in an EHDM “prove” declaration and that required for a journal-level 
proof description is quite close. Naturally, increased automation of details 
(for example, use of term rewriting to mechanize equational theories, and 
automatic discovery of substitution instances) 13 would be welcome, but we 
did not find theorem proving to be a bottleneck. (Discovering the correct 
theorems to prove was the bottleneck.) 

The module structure supported by the EHDM specification language 
and its support environment simplified the task of managing and compre- 
hending a formal development that eventually became quite large, and en- 
abled us to keep track of undischarged proof obligations. The latter service 
was particularly valuable, due to the way in which our formal specification 
and verification were developed. Our approach was very much top-down: we 
introduced lemmas whenever it was convenient to do so, and worried about 
proving them later. We may have carried this approach a little too far in 
the early stages (i.e., we did not examine the content of our lemmas with 
sufficient care), but we did not know at that period whether our attempt to 
mechanically verify the algorithm would be successful 14 and we were anxious 
to explore the more obviously difficult parts first. 

Overall, we did not find the formal specification and mechanical ver- 
ification of the Interactive Convergence Clock Synchronization Algorithm 
particularly demanding. The main difficulty was the sheer intricacy of the 
argument, and we found the discipline of formal specification and verification 
to be a help, rather than a hindrance, in finally mastering this complexity. 

We found that EHDM served us reasonably well; we do not know whether 
other specification and verification environments would have fared as well 
or better. Understanding the practical benefits and limitations of different 
approaches to formal specification and mechanical theorem proving is nec- 
essary for sensible further development of verification environments. Con- 
sequently, we invite the developers and users of other verification systems 
to repeat the experiment described here. We suggest that the Interactive 
Convergence Clock Synchronization Algorithm is a paradigmatic example 
of a problem where formal verification can show its value and a verification 
system can demonstrate its capabilities: it is a “real” rather than an artifi- 

ls The instantiator of EHDM accomplishes both of these tasks very effectively for proofs 
in pure predicate calculus, but is much less useful when arithmetic is employed extensively. 

l4 The algorithm (or rather an implementation of it) had been asserted to be “probably 
beyond the ability of any current mechanical verifier* [2, page 9]. 
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cial problem, its verification is large enough to be challenging without being 
overwhelming, it requires a couple of fairly interesting supporting theories, 
and its proofs are quite intricate and varied. 


Chapter 5 

Conclusions 


a The virtue of a logical proof is not that it compels belief but that 
it suggests doubts * [10, page 48] 

Verification does not prove programs “correct”; it merely establishes 
consistency between one description of a system and another. The extent 
to which such consistency can be equated with correctness depends on the 
extent to which one of the descriptions accurately states all the properties 
required of the system, on the extent to which the other accurately and 
completely describes its actual behavior, and on the extent to which the 
demonstration of consistency between these two descriptions is performed 
without error. 

In practice, all three of these limitations on “correctness” pose significant 
challenges. The behavior of the actual system will depend on physical pro- 
cesses that may not admit completely accurate descriptions, or that may be 
subject to random effects, while the properties required of the system may 
not be fully understood, let alone fully recorded in its specification. And 
demonstration of consistency between the two descriptions of the system 
will be subject to the errors attendant upon any human enterprise. For - 
mal specification and verification attempts to control and delimit some of 
the difficulties associated with verification; the use of formal specifications 
can at least provide precise and unambiguous descriptions of the intended 
behavior of the system — the questions remain whether these descriptions 
correctly capture what is really required, or what the behavior of the sys- 
tem really is, but at least the doubt about what the descriptions themselves 
mean is removed. Formal verification attempts to put the demonstration 
of consistency between two system descriptions onto a more reliable basis 


68 



69 


by making it a mathematical — indeed, calculational — activity that can be 
checked by a mechanical theorem prover. Of course, the validity of this 
approach depends on the extent to which the semantics of the specification 
language are correctly implemented by its support environment, and on the 
correctness of the mechanical theorem prover. These represent significant 
challenges, but they are at least more sharply posed than the problems with 
which we began. 

Formal verification is no more than a formalization of one of the com- 
ponents in the widely practiced software quality assurance process called 
Verification and Validation (V&V). Validation (testing), the other compo- 
nent to this process, is not made redundant or unnecessary by formalizing 
the verification component. Indeed, formal verification can help clarify the 
assumptions that should be validated by explicit testing. 

The opening paragraphs of the introductory document to EHDM [l] make 
our own attitude clear: 

“Writing formal specifications and performing verifications that 
really mean something is a serious engineering endeavor. Formal 
specification and verification are often recommended for systems 
that perform functions critical to human safety or national se- 
curity, but it must be understood that formal analysis alone 
cannot provide assurance that a system is fit for such a critical 
function. Certifying a system as “safe” or “secure” is a respon- 
sibility that calls for the highest technical experience, skill, and 
judgment — and the consideration of multiple forms of evidence. 

Other important forms of analysis and evidence that should be 
considered for critical systems are systematic testing, quantita- 
tive reliability measurement, software safety analysis, and risk 
assessment. Also, it should be understood that the purpose of 
formal verification is not to provide unequivocal evidence that 
some aspects of a system design and implementation are “cor- 
rect,” but to help you the user convince yourself of that fact; the 
verification system does not act as an oracle, but as an impla- 
cable skeptic that insists on you explaining and justifying every 
step of your reasoning — thereby helping you to reach a deeper 
and more complete understanding of your system.” 

The opponents to formal verification [7, 9] ignore caveats such as those 
expressed above (which are similar to those expressed by all serious pro- 
ponents of formal verification) and perform a straw man attack in which 
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verification is set up as an unequivocal demonstration of correctness, and in 
which intelligent human participation is minimized in favor of an omniscient 
mechanical verifier. For example, De Millo, Lipton and Perlis [7] claim that: 

“The scenario envisaged by the proponents of verification goes 
something like this: the programmer inserts his 300-line in- 
put/output package into the verifier. Several hours later, he 
returns. There is his 20,000-line verification and the message 
‘VERIFIED’.” 

This is parody. In a paper published several years earlier [19], von Henke 
and Luckham indicated the true nature of the scenario envisioned by the 
proponents of verification when they wrote: 

“The goal of practical usefulness does not imply that the verifi- 
cation of a program must be made independent of creative effort 
on the part of the programmer . . . such a requirement is utterly 
unrealistic.” 

The thrust of De Millo, Lipton and Perlis’ argument is that formal veri- 
fication moves responsibility away from the “social process” that involves 
human scrutiny, towards a mechanical process with little human participa- 
tion. In reality, a verification system assists the human user to develop a 
convincing argument for the correctness of his program by acting as an im- 
placably skeptical colleague who demands that all assumptions be stated and 
all claims justified. The requirement to explicate and formalize what would 
otherwise be unexamined assumptions is especially valuable. Shankar [16], 
for example, observes: 

“The utility of proof-checkers is in clarifying proofs rather than in 
validating assertions. The commonly held view of proof-checkers 
is that they do more of the latter than the former. In fact, very 
little of the time spent with a proof-checker is actually spent 
proving theorems. Much of it goes into finding counterexam- 
ples, correcting mistakes, and refining arguments, definitions, or 
statements of theorems. A useful automatic proof-checker plays 
the role of a devil’s advocate for this purpose.” 

This perspective on mechanical theorem proving is very similar to that de- 
veloped by Lakatos [10] for the role of proof (not just mechanical theorem 
proving) in mathematics. Crudely, this view is that successful completion is 
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among the least interesting and useful outcomes of a proof attempt; the real 
benefit comes from failed proof attempts, since these challenge us to revise 
our hypotheses, sharpen our statements, and achieve a deeper understanding 
of our problem. 

Our own experience with the verification of the Interactive Convergence 
Clock Synchronization Algorithm supports this view. Most of our time was 
spent in trying to prove theorems and lemmas that turned out to be false, 
in coming to understand why they were false, and in revising their state- 
ments, or those of supporting lemmas and assumptions. The difficulties we 
encountered were consequences of genuine technical flaws in the previously 
published analysis of the Algorithm [11], and we consider the main benefit 
of this exercise to be the identification and correction of those flaws. The 
corrections led us to eliminate the use of approximations, thereby allowing 
precise statements of the constraints on the values of the parameters to the 
Algorithm, and led us to modify one of the assumptions (A2) underlying 
the Algorithm, thereby changing its external specification slightly. Our cor- 
rections to the statements and proofs of some of the lemmas led us to a 
more uniform method for doing those proofs. When reflected back into a 
traditional mathematical presentation (given in Chapter 2), we consider the 
result to be an analysis that is not only more precise, but simpler and easier 
to follow than the original. 

Thus, we believe that a significant benefit from our formal verification is 
an improved informal argument for the correctness of the Interactive Con- 
vergence Clock Synchronization Algorithm. We hope that anyone contem- 
plating using the Algorithm will study our presentation and will convince 
themselves of the correctness of the Algorithm and of the appropriateness of 
the assumptions (and of the ability of their implementation to satisfy those 
assumptions). 

Our formal verification does not usurp the “social process’’ in which De 
Millo, Lipton and Perlis place their faith, but should serve to shift its focus 
from details to fundamentals. We note that the “social process” apparently 
failed to discover the flaws that we have noted in the main theorem concern- 
ing the Interactive Convergence Clock Synchronization Algorithm, and in 
four of its five lemmas. This is not surprising: the standards of rigor and for- 
mality in the normal “mathematical demonstration” are simply inadequate 
to the intricacy and detail required for the analysis of many algorithms and 
programs. Mechanically checked verification provides valuable supplemen- 
tary scrutiny and evidence in these cases. 
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The extent to which our verification provides a formal guarantee of the 
correctness of the Interactive Convergence Clock Synchronization Algorithm 
is compromised by the fact that the representation of the problem is some- 
what abstracted from reality. The aspect of the representation of the clock 
synchronization problem that causes us most concern is the basic definition 
of a clock. Real clocks increment in discrete “ticks” whose magnitude may 
be quite large compared with some of the other parameters in the system. 
Using the rationals as the interpretation of clock time is therefore unreal- 
istic, as is the requirement that a good clock should be a strict monotonic 
function. Schneider [15] presents a model which treats these aspects more 
realistically; formalizing this approach provides an interesting challenge for 
the future. 

A further challenge will be to formalize and verify an implementation of 
the Interactive Convergence Clock Synchronization Algorithm — so far, we 
have simply verified properties of the algorithm itself. Our current work is 
addressing these challenges; we expect to report our results in early 1990. 
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Appendix A 

Cross-Reference Listing 


This Appendix provides two cross-reference tables to assist in reading and 
navigating the EHDM specifications that follow. The first provides the trans- 
lations used between EHDM identifiers and the symbols used in the tradi- 
tional mathematical presentation and in the I^TjpC-printed version of the 
specifications. The second table provides a cross-reference listing to the 
identifiers declared in the EHDM specification. 
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Appendix A. Cross-Reference Listing 


Identifier 

Translation 

abs 

|*1| 

adjusted 


clock 


Corr 

ol; !) 

D2bar 

aS2, 

Delta 

A 

delta 

6 

deltaO 

6 o 

Deltal 

c? 

< 

Delta2 

A (*3) 

eps 

€ 

Gamma 

r 

half 

★1 

2 

in _R .interval 

*1 e 

inJ3 .interval 

★1 € S<* 2 ) 

mean 


mult 

*1 x *2 

PHI 

$ 

PI 

n 

rho 

p 

rt 


Sigma 

E 

sigma 

<t(*1,*2,*3) 

sum 

x:ti* 3 ) 

TO 

To 

T1 

Ti 

tl 

1 1 

T2 

T 2 

t2 

h 

TN 

T n 

T_sup 

rp(*l) 

TJERO 

yO 


Table A.l: IAT^X-Printer Translations for EHDM Identifiers 
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Identifier 

Type of Declaration 

Module where Declared 

AO 

axiom 

algorithm 

A1 

axiom 

clocks 

A2 

axiom 

algorithm 

A2_aux 

axiom 

algorithm 

abs 

function 

absolutes 

absolutes 

module 

absolutes 

abs_ax 

axiom 

absolutes 

abs.axO 

lemma 

absolutes 

abs_axl 

lemma 

absolutes 

abs_ax2 

lemma 

absolutes 

abs_ax2b 

lemma 

absolutes 

abs_ax2c 

lemma 

absolutes 

abs.ax3 

lemma 

absolutes 

abs.ax4 

lemma 

absolutes 

abs_ax5 

lemma 

absolutes 

abs_ax6 

lemma 

absolutes 

abs_ax7 

lemma 

absolutes 

abs_ax8 

lemma 

absolutes 

abs.div 

axiom 

absolutes 

abs_div2 

lemma 

arithmetics 

abs_div2 .proof 

prove 

arithmetics 

abs _mean 

lemma 

sums 

abs_mean_proof 

prove 

sums 

abs.proofO 

prove 

absolutes 

abs.proofl 

prove 

absolutes 

abs_proof2 

prove 

absolutes 

abs_proof2b 

prove 

absolutes 

abs.proof2c 

prove 

absolutes 

abs_proof3 

prove 

absolutes 

abs_proof4 

prove 

absolutes 

abs.prooffi 

prove 

absolutes 

abs_proof6 

prove 

absolutes 

abs_proof7 

prove 

absolutes 

abs .proof 8 

prove 

absolutes 

absjsum 

lemma 

sums 

abs .sum-proof 

prove 

sums 

abs .times 

axiom 

absolutes 


Table A.2: Cross-Reference to EHDM Identifiers 
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Appendix A. Cross-Reference Listing 


Identifier 

Type of Declaration 

Module where Declared 

adjusted 

function 

clocks 

adj_always.pos 

lemma 

clockprops 

adj_pos_proof 

prove 

clockprops 

Algl 

axiom 

algorithm 

Alg2 

axiom 

algorithm 

Alg3 

axiom 

algorithm 

algorithm 

module 

algorithm 

alt-8b_step-proof 

prove 

sigmaprops 

alt_sigmaJbound_step 

lemma 

sigmaprops 

arithmetics 

module 

arithmetics 

basis 

lemma 

clockprops 

basis 

lemma 

main 

basis_proof 

prove 

clockprops 

basis_proof 

prove 

main 

bounded 

function 

sigmaprops 

bounded _ax 

axiom 

sigmaprops 

bounded Jemma 

lemma 

sigmaprops 

bounded_proof 

prove 

sigmaprops 

bounds 

lemma 

clockprops 

bounds_proof 

prove 

clockprops 

bound-faulty 

lemma 

summations 

bound-faulty .proof 

prove 

summations 

bound monfaulty 

lemma 

summations 

bound .nonfaulty .proof 

prove 

summations 

CO_a 

axiom 

algorithm 

C0.b 

axiom 

algorithm 

COjc 

axiom 

algorithm 

Cl 

axiom 

time 

C2 

axiom 

algorithm 

C2and3 

lemma 

algorithm 

C2and3_proof 

prove 

algorithm 

C3 

axiom 

algorithm 

C4 

axiom 

algorithm 

C5 

axiom 

algorithm 

C6 

axiom 

algorithm 


Table A.3: Cross-Reference to EHDM Identifiers (Continued) 
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Identifier 

Type of Declaration 

Module where Declared 

cancellation 

lemma 

arithmetics 

cancellation_mult 

lemma 

arithmetics 

cancellation_mult_proof 

prove 

arithmetics 

cancellation .proof 

prove 

arithmetics 

cancel_mult 

lemma 

juggle 

c ancel .mult .proof 

prove 

juggle 

clock 

function 

clocks 

clockdef 

axiom 

clocks 

clockprops 

module 

clockprops 

clocks 

module 

clocks 

clocktime 

type 

time 

clock .proof 

prove 

algorithm 

clock.prop 

lemma 

algorithm 

Corr 

function 

clocks 

Cross 

reference 

of 

culmination 

lemma 

summations 

culm_proof 

prove 

summations 

D2bar 

function 

algorithm 

D2bar_prop 

lemma 

algorithm 

D2bar_prop_proof 

prove 

algorithm 

Delta 

const 

algorithm 

delta 

const 

algorithm 

deltaO 

const 

algorithm 

Deltal 

function 

algorithm 

Delta2 

function 

algorithm 

diff 

function 

natprops 

diffl 

lemma 

natprops 

diff 1 .proof 

prove 

natprops 

diff_ax 

axiom 

natprops 

diff .diff 

lemma 

natprops 

diff .diff .proof 

prove 

natprops 

diffineq 

lemma 

natprops 

diff _ineq_proof 

prove 

natprops 

diff .plus 

lemma 

natprops 

diff.plus.proof 

prove 

natprops 

diff jero 

lemma 

natprops 

diffjzero .proof 

prove 

natprops 


Table A. 4: Cross-Reference to EHDM Identifiers (Continued) 
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Appendix A. Cross-Reference Listing 


Identifier 

Type of Declaration 

Module where Declared 

diminish 

lemma 

clocks 

diminish-proof 

prove 

clocks 

distrib4jdiv 

lemma 

juggle 

distrib4jdiv .proof 

prove 

juggle 

distrib6 

lemma 

juggle 

distrib6jdiv 

lemma 

juggle 

distrib6jdiv .proof 

prove 

juggle 

distrib6jnult 

lemma 

juggle 

distrib6_mult.proof 

prove 

juggle 

distrib6_proof 

prove 

juggle 

divjdistr 

lemma 

arithmetics 

div.distr_proof 

prove 

arithmetics 

divjnon 

lemma 

arithmetics 

div_mon2 

lemma 

arithmetics 

div_mon2_proof 

prove 

arithmetics 

divjmon_proof 

prove 

arithmetics 

divjnult 

lemma 

arithmetics 

div_mult2 

lemma 

arithmetics 

div_mult2_proof 

prove 

arithmetics 

divjnult_proof 

prove 

arithmetics 

div_prod 

lemma 

arithmetics 

div_prod2 

lemma 

arithmetics 

div_prod2.proof 

prove 

! arithmetics 

div_prod.proof 

prove 

arithmetics 

div .times 

lemma 

arithmetics 

div_times_proof 

prove 

arithmetics 

eps 

const 

algorithm 

extensionality 

axiom 

functionprops 

final 

prove 

juggle 

functionprops 

module 

functionprops 

gc.ax 

axiom 

clocks 

gc_proof 

prove 

clockprops 

gc_prop 

lemma 

clockprops 

goodclock 

function 

clocks 


Table A.5: Cross-Reference to EHDM Identifiers (Continued) 
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Identifier 

Type of Declaration 

Module where Declared 

half 

function 

arithmetics 

half2 

lemma 

arithmetics 

half2 .proof 

prove 

arithmetics 

half3 

lemma 

arithmetics 

half3 .proof 

prove 

arithmetics 

half_ax 

axiom 

arithmetics 

i2R 

lemma 

clockprops 

i2R_proof 

prove 

clockprops 

Identifier 

Type 

Module 

induction 

lemma 

natinduction 

inductionl 

lemma 

natinduction 

induction 1 .proof 

prove 

natinduction 

induction2 

axiom 

natinduction 

inductionjn 

axiom 

natinduction 

induction_proof 

prove 

natinduction 

inductivejstep 

lemma 

clockprops 

ind.proof 

prove 

clockprops 

ind_proof 

prove 

main 

ind_step 

lemma 

main 

inRS 

lemma 

time 

inRS_proof 

prove 

time 

in_R Jnterval 

function 

time 

in _S .interval 

function 

time 

inJSJemma 

lemma 

time 

in JS .proof 

prove 

time 

juggle 

module 

juggle 

11 

lemma 

summations 

ll .proof 

prove 

summations 

12 

lemma 

summations 

l2_proof 

prove 

summations 

13 

lemma 

summations 

13 .proof 

prove 

summations 

14 

lemma 

summations 

14 .proof 

prove 

summations 

15 

lemma 

summations 

15. proof 

prove 

summations 


Table A.6: Cross-Reference to EHDM Identifiers (Continued) 
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Appendix A. Cross-Reference Listing 


Identifier 

Type of Declaration 

Module where Declared 

lemmal 

module 

lemmal 

lemmaldef 

lemma 

lemmal 

lemmal .proof 

prove 

lemmal 

lemma2 

module 

lemma2 

lemma2a 

lemma 

lemma2 

lemma2a_proof 

prove 

lemma2 

lemma2b 

lemma 

lemma2 

lemma2b_proof 

prove 

lemma2 

lemma2c 

lemma 

lemma2 

lemma2c.proof 

prove 

lemma2 

lemma2d 

lemma 

lemma2 

lemma2def 

lemma 

lemma2 

lemma2d .proof 

prove 

lemma2 

lemma2x 

lemma 

lemma4 

lemma2x.proof 

prove 

lemma4 

lemma2 .proof 

prove 

lemma2 

lemma3 

module 

lemma3 

lemma3def 

lemma 

lemma3 

lemma3 .proof 

prove 

lemma3 

lemma4 

module 

lemma4 

lemma4def 

lemma 

lemma4 

lemma4 .proof 

prove 

lemma4 

lemmaS 

module 

lemmaS 

lemma5def 

lemma 

lemmaS 

lemmaSproof 

prove 

lemmaS 

lemma6 

module 

lemma6 

lemma6def 

lemma 

lemma6 

lemma6_proof 

prove 

lemma6 

lower. bound 

lemma 

clockprops 

lower _bound2 

lemma 

clockprops 

lower_bound2 .proof 

prove 

clockprops 

lower .bound .proof 

prove 

clockprops 

m 

const 

algorithm 

main 

module 

main 


Table A.7: Cross-Reference to EHDM Identifiers (Continued) 
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Identifier 

Type of Declaration 

Module where Declared 

mean 

function 

sums 

mean_ax 

axiom 

sums 

mean_bound 

lemma 

sums 

meanJbound.proof 

prove 

sums 

mean_const 

lemma 

sums 

me an .const .proof 

prove 

sums 

mean_diff 

lemma 

sums 

mean.diff.proof 

prove 

sums 

mean Jemma 

lemma 

sums 

meanJemma_proof 

prove 

sums 

meanjnult 

lemma 

sums 

me an _mul t .proof 

prove 

sums 

meanjsum 

lemma 

sums 

mean ^um.proof 

prove 

sums 

mod-induction 

lemma 

natinduction 

mod jnductionl 

lemma 

natinduction 

mod Jnductionl .proof 

prove 

natinduction 

modinductionjn 

lemma 

natinduction 

modJnduction_proof 

prove 

natinduction 

mod_m .proof 

prove 

natinduction 

mod_sigmajnult 

lemma 

sigmaprops 

mod_sigma_mult_proof 

prove 

sigmaprops 

monoproof 

prove 

clocks 

monotonicity 

theorem 

clocks 

mult 

function 

arithmetics 

multO 

lemma 

arithmetics 

multCLproof 

prove 

arithmetics 

multi 

axiom 

arithmetics 

mult2 

lemma 

arithmetics 

mult2 .proof 

prove 

arithmetics 

mult3 

lemma 

arithmetics 

mult3.proof 

prove 

arithmetics 

mult4 

lemma 

arithmetics 

mult 4 .proof 

prove 

arithmetics 


Table A. 8: Cross-Reference to EHDM Identifiers (Continued) 
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Appendix A. Cross-Reference Listing 


Identifier 

Type of Declaration 

Module where Declared 

mult_ax 

axiom 

arithmetics 

mult-div 

lemma 

arithmetics 

mult_div -proof 

prove 

arithmetics 

multineql 

lemma 

juggle 

mult_ineql_proof 

prove 

juggle 

multJneq2 

lemma 

juggle 

mult Jneq2_proof 

prove 

juggle 

mult_mon 

axiom 

arithmetics 

mult_mon2 

lemma 

arithmetics 

mult _mon 2 _pr o of 

prove 

arithmetics 

n 

const 

algorithm 

natinduction 

module 

natinduction 

natpos 

axiom 

natprops 

natprops 

module 

natprops 

nonfaulty 

function 

clocks 

nonfx 

lemma 

clockprops 

nonfx_proof 

prove 

clockprops 

period 

type 

time 

posR 

axiom 

time 

posS 

axiom 

time 

pos_abs 

lemma 

absolutes 

pos_abs_proof 

prove 

absolutes 

pred 

function 

natprops 

pred_ax 

axiom 

natprops 

pred-diflf 

lemma 

natprops 

pred.difLproof 

prove 

natprops 

predJemma 

lemma 

natprops 

predJemma_proof 

prove 

natprops 

proc 

type 

clocks 

quotient-ax 

axiom 

arithmetics 

quotient Jixl 

axiom 

arithmetics 

quotient _ax2 

axiom 

arithmetics 

quotient-mult 

lemma 

arithmetics 

quotient_mult_proof 

prove 

arithmetics 


Table A.9: Cross-Reference to EHDM Identifiers (Continued) 
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Identifier 

Type of Declaration 

Module where Declared 

R 

const 

time 

Rdef 

axiom 

time 

realtime 

type 

time 

rearrange 

lemma 

arithmetics 

rearrangel 

lemma 

arithmetics 

rearrangel 

lemma 

lemma4 

rearrangel 

lemma 

lemma5 

rearrangel_proof 

prove 

arithmetics 

rearrangel .proof 

prove 

lemma4 

rearrangel .proof 

prove 

lemma5 

rearrange2 

lemma 

arithmetics 

rearrange2 

lemma 

lemma4 

rearrange2 

lemma 

lemma5 

rearrange2 .proof 

prove 

arithmetics 

rearrange2_proof 

prove 

lemma4 

rearrange2_proof 

prove 

lemma5 

rearranges 

lemma 

lemma4 

rearranges .proof 

prove 

lemma4 

rearrange_alt 

lemma 

arithmetics 

rearrange _alt_proof 

prove 

arithmetics 

rearrange.delta 

lemma 

juggle 

rearrange_proof 

prove 

arithmetics 

rearrange_sub 

lemma 

sums 

rearrangejsub.proof 

prove 

sums 

rearrange-sum 

lemma 

sums 

rearrange jsum_proof 

prove 

sums 

reciprocal 

lemma 

juggle 

reciprocal-proof 

prove 

juggle 

revsigma 

function 

sigmaprops 

revsigma-ax 

axiom 

sigmaprops 

rho 

const 

clocks 

rho_pos 

axiom 

clocks 

rhojsmall 

axiom 

clocks 

rt 

function 

clocks 

S 

const 

time 


Table A. 10: Cross-Reference to EHDM Identifiers (Continued) 
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Appendix A. Cross-Reference Listing 


Identifier 

Type of Declaration 

Module where Declared 

S1A 

function 

algorithm 

SlAdef 

axiom 

algorithm 

SlAJemma 

lemma 

clockprops 

S1A Jemma-proof 

prove 

clockprops 

slb_proof 

prove 

sigmaprops 

SIC 

function 

algorithm 

SICdef 

axiom 

algorithm 

SIC Jemma 

lemma 

algorithm 

SIC Jemma-proof 

prove 

algorithm 

sls_.proof 

prove 

sigmaprops 

S2 

function 

algorithm 

S2_ax 

axiom 

algorithm 

S2_pqr 

lemma 

summations 

S2_pqr_proof 

prove 

summations 

sa_basis_proof 

prove 

sigmaprops 

sa_proof 

prove 

sigmaprops 

8a_step_proof 

prove 

sigmaprops 

sb 

lemma 

sigmaprops 

sb_basis_proof 

prove 

sigmaprops 

sb .proof 

prove 

sigmaprops 

sb_step_proof 

prove 

sigmaprops 

sc_basis_proof 

prove 

sigmaprops 

sc.proof 

prove 

sigmaprops 

scj5tep_proof 

prove 

sigmaprops 

Sdef 

axiom 

time 

Sigma 

const 

algorithm 

sigma 

function 

sigmaprops 

sigmal 

lemma 

sigmaprops 

sigmal Jbasis 

lemma 

sigmaprops 

sigmal .proof 

prove 

sigmaprops 

sigmal jstep 

lemma 

sigmaprops 

sigmaprops 

module 

sigmaprops 

sigma_abs 

lemma 

sigmaprops 

sigma_abs.basis 

lemma 

sigmaprops 

sigma^abs_step 

lemma 

sigmaprops 

sigma_ax 

axiom 

sigmaprops 


Table A. 11: Cross-Reference to EHDM Identifiers (Continued) 
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Identifier 

Type of Declaration 

Module where Declarec 

sigma_bound 

lemma 

sigmaprops 

sigmaJbound2 

lemma 

sums 

sigma _bound2_proof 

prove 

sums 

sigmaJbound.basis 

lemma 

sigmaprops 

sigmaJbound.proof 

prove 

sigmaprops 

sigmaJ>ound_step 

lemma 

sigmaprops 

sigmaxonst 

lemma 

sigmaprops 

sigmaxonst_basis 

lemma 

sigmaprops 

sigmaxonst xtep 

lemma 

sigmaprops 

sigma_mult 

lemma 

sigmaprops 

sigma_mult_basis 

lemma 

sigmaprops 

sigma_multxtep 

lemma 

sigmaprops 

sigma_rev 

lemma 

sigmaprops 

sigmaxev .basis 

lemma 

sigmaprops 

sigmaxev .proof 

prove 

sigmaprops 

sigmaxev jstep 

lemma 

sigmaprops 

sigmajsum 

lemma 

sigmaprops 

sigmaxum_basis 

lemma 

sigmaprops 

sigmaxumxtep 

lemma 

sigmaprops 

SinR 

lemma 

time 

SinR.proof 

prove 

time 

skew 

function 

algorithm 

small .shift 

lemma 

clockprops 

small_shift.proof 

prove 

clockprops 

sm_basis_proof 

prove 

sigmaprops 

sm .proof 

prove 

sigmaprops 

smxtep.proof 

prove 

sigmaprops 

split Jjasis .proof 

prove 

sigmaprops 

splitxnean 

lemma 

sums 

split _mean_proof 

prove 

sums 

split .proof 

prove 

sigmaprops 

splitxigma 

lemma 

sigmaprops 

splitxigmaJbasis 

lemma 

sigmaprops 

split_sigma_step 

lemma 

sigmaprops 

splitxtep.proof 

prove 

sigmaprops 

split jsum 

lemma 

sums 

splitxum_proof 

prove 

sums 


Table A.12: Cross-Reference to EHDM Identifiers (Continued) 
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Appendix A. Cross-Reference Listing 


Identifier 

Type of Declaration 

Module where Declared 

srb.proof 

prove 

sigmaprops 

8rp_proof 

prove 

sigmaprops 

8s_basis-proof 

prove 

sigmaprops 

ss .proof 

prove 

sigmaprops 

ss_step_proof 

prove 

sigmaprops 

stepl 

lemma 

juggle 

step 1 .proof 

prove 

juggle 

step2 

lemma 

juggle 

step2_proof 

prove 

juggle 

step3 

lemma 

juggle 

step3 .proof 

prove 

juggle 

step4 

lemma 

juggle 

step4_proof 

prove 

juggle 

step5 

lemma 

juggle 

step5 .proof 

prove 

juggle 

sub 1. proof 

prove 

lemma6 

8ub2_proof 

prove 

lemma6 

eublemmal 

lemma 

lemma4 

sublemmal 

lemma 

lemma6 

sublemmal .proof 

prove 

lemma4 

sublemma2 

lemma 

1 

lemma6 

sublemma-A 

lemma 

lemma6 

sub_A_proof 

prove 

lemma6 

sum 

function 

sums 

summations 

module 

summations 

sums 

module 

sums 

sum.ax 

axiom 

sums 

sum.bound 

lemma 

sums 

sum.boundO 

lemma 

sums 

sum.boundO.proof 

prove 

sums 

sum.bound 1 

lemma 

sums 

sum.bound 1 .proof 

prove 

sums 

sum.bound2 

lemma 

sums 

sum.bound2_proof 

prove 

sums 

sum .bound _mod 

lemma 

sums 

sum.bound jnod .proof 

prove 

sums 

sum.bound.proof 

prove 

sums 


Table A. 13: Cross-Reference to EHDM Identifiers (Continued) 
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Identifier 

Type of Declaration 

Module where Declared 

sum_mult 

lemma 

sums 

sum_mult.proof 

prove 

sums 

Theorem_l 

theorem 

algorithm 

Theorem_l_proof 

prove 

main 

Theorem_2 

theorem 

algorithm 

Theorem_2_proof 

prove 

algorithm 

time 

module 

time 

times_half 

lemma 

arithmetics 

times _h alf .proof 

prove 

arithmetics 

Tiin_R 

lemma 

time 

Ti_in_S 

lemma 

time 

TijnJS .proof 

prove 

time 

Ti.proof 

prove 

time 

T_next 

lemma 

time 

T_next_proof 

prove 

time 

Tjsup 

function 

time 

Tjsup^x 

axiom 

time 

TJERO 

const 

time 

upper .bound 

lemma 

clockprops 

upper .bound.proof 

prove 

clockprops 

zero.correction 

axiom 

clocks 


Table A. 14: Cross-Reference to EHDM Identifiers (concluded) 



Appendix B 

©TgX-printed Specification 
Listings 


The following specification listings were formatted and converted to math- 
ematical notation automatically using the EHDM MjjX-printer. The raw 
EHDM text is in Appendix D. All the proofs in these listings have been 
checked by the EHDM theorem prover using the EHDM variable settings 
prmode * checking and prlambdafree * everywhere. 
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Module 

Page 

Absolutes 

92 

Algorithm 

120 

Arithmetics 

94 

Clockprops 

123 

Clocks 

118 

Functionprops 

100 

Juggle 

139 

Lemma 1 

126 

Lemma2 

127 

Lemma3 

129 

Lemma4 

130 

Lemma5 

132 

Lemma6 

133 

Main 

144 

Natinduction 

101 

Natprops 

98 

Sigmaprops 

108 

Summations 

135 

Sums 

103 

Time 

116 


Table B.l: Page References to EHDM Specification Modules 
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Appendix B. printed Specification Listings 


absolutes: Module 
Exporting | * 1| 

Theory 

a, b, w, x, y, z: VAR number 
| * 1|: function [number — > number] 

abs^ax: Axiom |a| = if a < 0 then - a else a end if 

abs.times: Axiom |a * 6| = |a| * |6| 

abs-div: Axiom b^ 0 D |a/6| = |a|/|6| 

abs_axO: Lemma 0 = |0| 

abs_axl: Lemma 0 < |i| 

abs_ax2: Lemma \x + y| < |i| -f- |y| 

abs_ax2b: Lemma \x + y + z\ < |x| + |y| + \z\ 

abs_ax2c: Lemma |u> + x + y + z\ < |w| + |*| + |y| + \z\ 

abs_ax3: Lemma | - x\ — \x\ 

abs_ax4: Lemma \x — y| = |y — x\ 

abs^ax5: Lemma 0<xAx<zA0<yAy<zD|x-y|<z 

abs_ax6: Lemma |x| < y D —y < x A x < y 

abs^ax7: Lemma |x| = ||x|| 

abs_ax8: Lemma |x — y| < 1*1 + |y| 

pos_abs: Lemma 0 < x D |x| = x 

Proof 

abs_proofO: Prove abs.axO from abs_ax {a <— 0} 

abs_proofl: Prove abs.axl from abs_ax {a <— x] 

abs_proof2: Prove abs_ax2 from 

abs_ax {a *— x + y}, absjtx {a <— i}, abs.ax {a <— y} 

abs_proof2b: Prove abs_ax2b from 

abs^ax2 {y «- y + z}, abs^ax2 {x «— y, y <— z} 



Absolutes 


abs_proof2c: Prove abs^ax2c from 

abs_ax2 {x <— w, y <— * + y + z}, abs^ax2b 

abs_proof3: Prove abs.ax3 from abs_ax {a <— x}, abs_ax {a 

abs_proof4: Prove absjuc4 from 

abs_ax {a <— x — y}, abs_ax {a «— y - x} 

abs_proof5: Prove abs_ax5 from abs^ax {a <— x — y} 

abs_proof6: Prove abs^ax6 from abs^ax {a +- x} 

abs.proof7: Prove abs_ax7 from abs^axl, abs_ax {a «— |i|} 

abs_proof8: Prove abs.ax8 from 

abs_ax {a «— x — y}, abs_ax {a «— i}, absjax {a «— y} 

pos_abs_proof: Prove pos^abs from absjax {a <— x} 

End absolutes 
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Appendix B. J&TgX-printed Specification Listings 


arithmetics: Module 
Using absolutes 

Exporting *1 x *2, f with absolutes 
Theory 

a, b, c, u, v, w, x, y, z: VAR number 

*1 x *2: function [number, number — ► number] 

Y- function [number — > number] 

(* -*) 

quotient .ax: Axiom y ^ 0 D x/y = x * (1/y) 
quotient-axl: Axiom i^OD x/x = 1 
quotient_ax2: Axiom 2 > 0 D 1/z > 0 

(* -*) 

div .times: Lemma y^OD (x/y )*z = (x*z)/y 
div_distr: Lemma z^ODx/z + y/z = (x-\-y)/z 
abs_div2: Lemma y > 0 D |x/y| = |i|/y 
divjnon: Lemma x < y A z > 0 D x/z < y/z 
div_mon2: Lemma x<yAx>0Dx/z <y/z 
div .prod: Lemma y>0Aa<x*yD a/y < x 
div.prod2: Lemma y > OA a < x*y D a/y < x 
cancellation: Le mm a y^O D (y * x)/y = x 

(* *) 

mult .ax: Axiom x x y = x * y 

multi: Axiom x>0Ay>0Dxxy>0 

mult jnon: Axiom x<yAz>ODxxz<yxz 

(* *) 


mult jnon2: Lemma x<yAz>ODxxz<yxz 
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cancellation _mult: Lemma y^ODix y/y = x 
multO: Lemma y = 0Dixy = 0 
mult_div: Lemma y^OD x/y x y = x 

r •) 

half_ax: Axiom | = x/2 

(* *) 

times_half: Lemma 2 * § = x 

half 2: Lemma | + f = x 

half3: Lemma 2*§xy=xxy 

mult2: Lemma 2 * (x x y) = (2 * x) x y 

mult3: Lemma xxy + z = xxy + xxz 

mult4: Lemma 0<iAy<?Dixy<ix: 

rearrange: Lemma 

|x - y| < |x - (w + v)| + |y - (tv + z)\ + |u + v - (tv + z) \ 
rearrange_alt: Lemma |x - y| < \x - (tt + v)| + |u - tv| + |y - (tv + t>)| 

Proof 

div.times-proof: Prove div.times from 
quotient_ax, quotient-ax {x <— x * z} 

div_distr_proof: Prove div.distr from 
quotient^ax {y ♦— z), 
quotient_ax {x <— y, y «— z), 
quotient_ax {x *— x + y, y ♦- z} 

abs.div2_proof: Prove abs_div2 from 

abs.div {a <— x, b *— y}, pos_abs {x «— y} 

quotient .mult: Lemma y ^ 0 D x/y — x x 1/y 

quotient jnult-proof: Prove quotient_mult from 
quotient_ax, mult_ax {y <— 1/y} 
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div_mon_proof: Prove divjnon from 
multjnon {z <— 1/z}, 
quotient jnult {y <— z}, 
quotient-mult {x «— y, y z}, 
quotient-ax2 

div_mon2 .proof: Prove div_mon2 from divjnon 

div_mult: Lemma y>0A a < xxy D a/y < x 

div_mult_proof: Prove div_mult from 

div_mon {z *- y, x <— a, y «- x X y}, cancellation-mult 

div_mult2: Lemma y > 0 A a < x x y D a/y < x 

div_mult2_proof: Prove div jnult2 from 

div_mon {z <— y, x <— a, y <— x x y}, cancellation jnult 

div .prod .proof: Prove div .prod from div jnult, mult-ax 

div.prod2_proof: Prove div_prod2 from div jnult2, mult-ax 

cancellation-proof: Prove cancellation from 

div .times {x <— y, z <— x}, quotient _axl {x <— y} 

multjnon2.proof: Prove mult jnon2 from multjnon 

cancellationjnult_proof: Prove cancellation-mult from 
cancellation, multjax 

multO-proof: Prove multO from mult_ax {y <— 0} 

multjdiv .proof: Prove mult_div from 

mult-ax {x <— x/y}, div .times {z *- y}, cancellation 

times Jialf.proof: Prove times .half from 

halLax, div .times {y 2, z «— 2}, cancellation {y *— 2} 

half2_proof: Prove half2 from times Jialf 

half3 .proof: Prove half3 from mult2 {x <— |}, times Jialf 

mult2_proof: Prove mult2 from mult_ax, mult-ax {x *— 2 * x} 

mult3-proof: Prove mult3 from 

multJix, mult_ax {y z), mult-ax {y y + z} 

mult4_proof: Prove mult4 from mult3 {z •*— z - y}, multi {y *— z - y} 
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rearranged Lemma 

* ~ V = (* - (« + t/)) + (u> + z - y) + (u + v - (to + z)) 
rearrangel .proof: Prove rearrangel 
rearrange2: Lemma 

|(x - (u + v)) + (u; + z - y) + (ti + v - (u; + *))| 

< \x - (u + v)| + |y - (w + z)\ + |u + v - (w + z)\ 

rearrange2_proof: Prove rearrange2 from 

abs_ax2b {x <- x - (u + v), y 4- u + v - (w + z), z <- w + z - y}, 
abs_ax3 {x <— w -f z - t/} 

rearrange_proof: Prove rearrange from rearrangel, rearrange2 
rearrange_alt_proof: Prove rearrange_alt from rearrange {z <- v} 
End arithmetics 
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natprops: Module 

Exporting pred, diff 

Theory 

i, m, n: VAR nat 
pred: function [nat —* nat] 

natpos: Axiom n > 0 

pred_ax: Axiom n / 0 D pred(n) = n - 1 

diff: function[nat, nat — » nat] 

difLax: Axiom n > m D diff(n, m) — n - m 

pred Jemma: Lemma pred(n + 1) = n 

difLzero: Lemma n > m D diff(n, m) > 0 

pred_difF: Lemma n > m D pred(diff(n, m)) = diff(n, m + 1) 

diffl: Lemma n > m D diff(n + 1, m + 1) = diff(n, m) 

difLdiff: Lemma 

n>mAn>iAm>t'D diff(diff(n, »'), diff(m, *)) = diff(n, m) 
diff_plus: Lemma n > m D m + diff(n, m) = n 
diff Jneq: Lemma n>mAn>i'Am>«D diff(n, t) > diff(m, i) 

Proof 

predJemma_proof: Prove predJemma from pred_ax {n <— n + 1}, natpos 

diff -zero_proof: Prove difLzero from difLax 

pred.difLproof: Prove pred_diff from 

pred_ax {n *— diff(n,m)}, difLax, difLax {m <— m + 1} 

diffl .proof: Prove diffl from 

difLax, difLax {n «— n + 1, m <— m + 1} 

diff_diff_proof: Prove difLdiff from 
difLax, 

difLax {m <— *}, 

difLax {n <— m, m «— »}, 

difLax {n <— diff(n,i), m <— diff(m,i)} 
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difLplus-proof: Prove diff-plus from difLax 

diff_ineq_proof: Prove difLineq from 

difLax {m *— *}, difLax {n <— m, m <— *} 

End n at props 
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functionprops: Module 
Theory 

F,G: VAR function [nat — *• number] 
x: VAR nat 

extensionality: Axiom (Vx: F(x) — G(x)) D F = G 
End functionprops 


! 
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natinduction: Module 
Using natprops 
Theory 

i, iO, il, i2, i3, j, m, n: VAR nat 
prop, A, B: VAR function[nat — > bool] 
prop2: VAR function [nat, nat — ♦ bool] 

induction_m: Axiom 

(prop(m) A ( V i: * > m A prop(i) 3 prop(» + 1))) 

3 ( Vn: n > m 3 prop(n)) 

induction2: Axiom 
( V iO: prop2(i0, 0)) 

A (Vj: (Vil: prop2(il,i)) 3 (Vi2: prop2(i2,j + 1))) 

3 ( Vi3, n: prop2(i3, n)) 

mod _induction_m: Lemma 

( v j: j > m A A{j + 1) D A(j)) 

A ((A(m) 3 B(m)) A ( Vi: » > m A A(i + 1) A B(i) D B(i + 1))) 
3(Vn:n>mA A(n) 3 B(n)) 


induction: Lemma 

(prop(0) A (Vi: prop(i) 3 prop(i + 1))) 3 (Vn: prop(n)) 

mod .induction: Lemma 
( Vj: A(j + 1) 3 A(j)) 

A ((A(0) 3 B(0)) A ( V i: A(» + 1) A B(i ) 3 B(i + 1))) 
3 (Vn: A(n) 3 B(n)) 


inductionl: Lemma 

(prop(l) A ( Vi: i > 1 A prop(t) 3 prop(* + 1))) 
3(Vn:n>l3 prop(n)) 


i 
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modJnductionl: Lemma 

(Vj:j>lAA(i+l)DA(i)) 

A ((A(l) D P(l)) A ( Vi: i > 1 A A(i + 1) A B(i) D B(i + 1))) 
D(Vn:n>lA A(n) D B(n)) 


Proof 

mod_m_proof: Prove modJnductionjn {i <— i@pl, j *— i} from 
induction_m {prop «— ( Ai-+ bool : A(i) D B(i))} 

induction-proof: Prove induction {i <— i@pl} from 
induction_m {m <— 0}, natpos 

modJnduction_proof: Prove mod Jnduction {i <— i@pl, j <— j@pl} from 
modJnductionjn (m *— 0}, natpos 

induction 1 .proof: Prove inductionl {i «— i@pl} from 
induction jn {m •‘—1} 

modJnductionl .proof: Prove modJnductionl {i <— i@pl, j +— j@pl} 
from modJnductionjn {m *— 1} 

End natinduction 
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sums: Module 

Using arithmetics, natprops, sigmaprops 
Exporting E:i(*3),©£(*3) 

Theory 

* , j, k, n, pp, qq, rr: VAR nat 

x, y, z: VAR number 

F,G : VAR function [nat — ► number] 

E*i(*3): function[nat, nat, function[nat — ♦ number] —* number] 
©*i(*3): function [nat, nat, function[nat — *• number] — » number] 

sum_ax: Axiom 

Ei F = if * < j + 1 then <r(i,diff(j + 1,*), F) else 0 end if 
mean_ax: Axiom 

©< F = if i < j then E< F/(j + 1 - 1 ) else 0 end if 

meanJemma: Lemma 
©}> = if i<j 

then er(i, diff(j + 1, »), F)/(j + 1 - *) 
else 0 
end if 

split-sum: Lemma 

i* < j + 1 At < k + 1 A k < j D EJ> = ?2iF + Ej +1 F 

split_mean: Lemma 

» < j A i < k + 1 A k < j 

=>©’> = (E? F + Ei +1 F)/U - .--hi) 


sum.bound: Lemma 

* < j + 1 A ( V pp: * < pp A pp < j D F(pp) < x ) 
3 Ei F < x * (j - * + 1) 


mean .bound: Lemma 

* < 3 A ( Vpp: i < pp A pp < j D l^(pp) < x) D F < * 
mean-const: Lemma i < j D x = ©* ( A qq — ► number : x) 
mean_mult: Lemma ©?.F*x = ©?(A qq-> number : F( qq) * x) 
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meanjsum: Lemma 

©< F + ©? G = ©j( A qq— » number : F(qq) + G(qq)) 
mean.diff: Lemma 

®-F-©jG = ®J(A qq— ^ number : P(qq) - G(qq)) 

abs_mean: Lemma | ©■ ,F| < ©?( Aqq— ► number : |F(qq)|) 

rearrange_sum: Lemma 

t'<i3i + ©|>-(y + 0jG) 

= ©< ( A qq-> number : x + P(qq) - (y + G(qq))) 


Proof 

mean Jemma_proof: Prove mean Jemma from mean-ax, sum-ax 

r •) 

split Jsum_proof: Prove split jum from 
8um_ax, 

sum_ax {j «— k}, 
sum_ax {i -< — A: + 1}, 

split-sigma {n <— diff(j + 1,»), m <- di S(k + 1,«), i «- i}, 
difLdiff {n «— j + 1, m «— k + 1}, 
diff_plus {n <— k + 1, m <— i}, 
diffineq {n *— j + 1, m <— *+1} 

split_mean.proof: Prove split-mean from split-sum, mean-ax 

(* *) 


sigma Jbound2: Lemma 

n>0A(Vk:t<fcAfc<i + pred(n) D F(k) < x) 
D er(i, n, F) < x x n 


sigma_bound2_proof: Prove sigmaJbound2 {k <— k@pl} from 
sigma_bound, mult_ax {y <— n} 

sum-bound .mod: Lemma 

* < j A ( V pp: i < pp A pp < j D F{pp) < x) 

=> Ei F < X x (j + 1 - *) 
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sum_bound_mod_proof: Prove sum.bouDd.mod {pp «— k@p2} from 
sum.ax, 

sigma_bound2 {n <— diff(y + l,t), i «— »}, 
pred.difiF {n <— j + 1, m <— *}, 
difLax {n <— j + 1, m <— t}, 
difF_ax {n <— j + 1, m *— i + 1} 

sum-boundl: Lemma 

* < j A ( V pp: $ < pp A pp < j D F(pp) < x) 

D F < x* (j - i + 1) 


sum_boundl_proof: Prove sum-boundl {pp «— pp@pl} from 
8um.bound.mod, mult_ax {y <— j + 1 — *} 

sum_boundO: Lemma 

* = j + 1 A ( Vpp: i < pp A pp < j D F( pp) < x ) 

D Ei F < X x (j + 1 - i) 


sum_boundO_proof: Prove sum.boundO from 
sum_ax {i *— j + 1}, 
difiLax {n <— j + 1, m <- j + 1}, 
sigma^ax {i ♦- j + 1 , n <- 0 }, 
multO {y *— j + 1 — *} 

sum_bound2: Lemma 

* < j + 1 A ( V pp: t < pp A pp < j D F(pp) < x) 
D £< F < * X (j + 1 - 0 


sum_bound2.proof: Prove sum.bound2 {pp «— pp@pl} from 
sum.bound jnod, sum_boundO 

sum_bound_proof: Prove sum-bound {pp «— pp@pl} from 
sum_bound2, mult_ax {y «— j + 1 — *} 

(* *) 


me an abound .proof: Prove mean-bound {pp 4 — pp@pl} from 
sum-boundl, mean-ax, div-prod {a 4 - F, y <— j — i + 1} 
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mean .const .proof: Prove mean-const from 
mean Jemma {F <— (Aqq—* number : i)}, 
sigmaxonst {n «— di ff(j + 1,*), i <— *'}, 
difLax {n <— j + 1, m *'}, 
cancellation {y «— j + 1 — *} 


sum_mult: Lemma F *x = J^(X qq-* number : F(qq) * x) 

sum_mult .proof: Prove sum_mult from 
sum.ax, 

sum_ax {F «— ( A qq— ► number : F(qq) * x)}, 
mod-sigma_mult {i <— t, n <— + 1, »*)} 

mean_mult-proof: Prove mean_mult from 
mean_ax, 

mean-ax {F <— ( A qq— ► number : F(qq) * x)}, 
sum_mult, 

div -times {x <— F@p3, y «— j + 1 - *, z «— *} 

(* *) 

mean .sum-proof: Prove mean_sum from 

mean Jemma {F «— ( Aqq— ♦ number : F(qq) + G(qq))}, 
meanJemma, 
mean Jemma {F *— G}, 
sigmaxurn {n <— diff(j> + 1, t), i <— t}, 
div_distr {x *- er(i, diff(j + l,i), F), 
y *- a[t, diff(j + l,i),G), 
z <— j + 1 - »} 


mean_diff_proof: Prove mean_difF from 

mean_mult {F «— G, x * 1}, 

mean-sum {G <— (Aqq— ♦ number : G(qq) * -1)} 

* 
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abs-sum: Lemma | £< ^1 < Ei( Aqq-» number : |.F(qq)|) 

absjBum -proof: Prove abs-sum from 
sum-ax, 

sum_ax {F 4— ( Aqq— ► number : |F(qq)|)}, 
sigma_abs {n 4— diff(j + 1 , t), i <— 1}, 
abs_ax 0 

abs .mean -proof: Prove absjnean from 
mean_ax, 

mean_ax {F 4— ( Aqq— ► number : |F(qq)|)}, 
absj 3 um, 

abs_div 2 {x 4— F, y 4— j + 1 - «}, 

div_mon 2 {x 4- | F|, y 4— F@p 2 , z 4- j + 1 - *}> 

abs-axO 

c — *> 


rearrange_sub: Lemma 

« < j D x + ©? F = ©• ( A qq— ► number : * + F(qq)) 

rearrange-sub_proof: Prove rearrangejsub from 

mean.const, mean_sum {G 4— ( Aqq— ► number : x)} 

rearrange_sum-proof: Prove rearrangejsum from 
rearrange-sub, 

rearrange jsub {x <— y, F <— G}, 

mean-diff {F 4— ( A pp— ► number : x + F@c(pp)), 

G 4— ( A pp— ► number : y + G@c(pp))} 


End sums 



108 


Appendix B. WT^pi-printed Specification Listings 


sigmaprops: Module 

Using arithmetics, natprops, functionprops, natinduction 
Exporting <r(*l,*2,*3) 

Theory 

t,il,i2,y,fc,/: VAR nat 

F,G : VAR function[nat — » number] 

n, m, mm, nn, qq: VAR nat 

x, y : VAR number 

<r(*l,*2,*3): function[nat, nat, function[nat — ► number] — ► number] 

sigma_ax: Axiom 

a(i, n,F)= if n = 0 
then 0 

else F(i + pred(n)) + cr(i, pred(n), F) 
end if 

sigmaxonst: Lemma <r(i, n, ( A qq— ► number : x)) = n * x 
sigma jnult: Lemma 

o(i, n, ( A qq— + number : x * F(qq))) = x * a(i, n, F) 

mod_sigma_mult: Lemma 

<r($, n, ( A qq-> number : jF(qq) * x)) = <t(i , n,F)*x 

sigma .sum: Lemma 

c[i,n, .F) + <r(t,n,G) = <r(i,n, ( Aqq-+ number : F(qq) + G(qq))) 
splitxigma: Lemma 

n> mD cr(i, n, F) = a(i, m, F) + a(i + m, diff(n, m), F) 
sigmaxbs: Lemma |<r(*, n, J 7 ’)! < o(i,n, (Aqq— ► number : |.F(qq)|)) 
sigma-bound: Lemma 

n>0A(Vk:i<fcAfc<» + pred(n) D F(k) < x) 

D <r(i, n,F) < n * x 
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bounded: function[nat, nat, function[nat — ► number], number — ► bool] 

bounded.ax: Axiom 

n > 0 D (bounded(» , n, F , x) 

= (Vk:i<fcAfc<i + pred(n) D F(k) < x)) 

revsigma: function [nat, nat, function [nat — ♦ number] — * number] 

revsigmaxix: Axiom 

revsigma(t, n, F) = if n = 0 
then 0 

else F(i) + revsigma(» + 1 , pred(n) , F) 
end if 

sigma_rev: Lemma a(i, n, F) = revsigma(t , n, F) 

Proof 

sigma_const_basis: Lemma <r(i, 0, ( Aqq— * number : at)) = 0 

8c_basis_proof: Prove sigmaxonst_basis from 
sigma_ax {n *— 0, F <— ( A qq— ► number : a:)} 

sigma_const_step: Lemma 

tr(i , n, ( A qq-+ number : x)) = n* x 

D a(i, n + 1, ( A qq— ♦ number : x)) = (n + 1) * x 


sc_step_proof: Prove sigmaxonst .step from 

sigma jix {n+-n+l,F+-(A qq-» number : x)}, pred Jemma 

sc.proof: Prove sigma. const from 
induction {prop <— ( A nn— * bool : 

a (», nn, ( A qq— ► number : x)) = nn * x)}, 
sigmaxonst Jjasis , 
sigmaxonstxtep {n «— i@pl} 

(* *) 


sigmajnult J>asis: Lemma 

<r(i, 0, ( A qq— ► number : x * F(qq))) = x * a(«, 0, F) 
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sm-basis-proof: Prove sigma_mult .basis from 
sigma joc {n <— 0}, 

sigma^ax {n ♦- 0, F <— (A qq-> number : x * F(qq))} 

sigma_mult-step: Lemma 

cr(i, n, ( A qq-> number : x * F(qq))) = x * <r(i, n, F ) 

D <r{i, n + 1, ( A qq-> number : x * F( qq))) = x * <r(i, n+l,F) 

smjstep .proof: Prove sigma .mult-step from 

sigmajix {n «- n + 1, F <- ( A qq-+ number : x * F(qq))}, 

sigma _ax {n <— n + 1}, 

predJemma 

sm_proof: Prove sigma jnult from 
induction {prop ♦— ( A nn— ► bool : 

<t(», nn, ( A qq— ► number : x * F(qq))) = x * er( *> nn, F))}, 
sigma jnult.basis, 

sigmajnult-step {n <— i@pl} 

(* *) 

mod jigmajnult 4 >roof: Prove mod.sigma jnult from 
sigma jnult, 

extensionality {F <- ( A qq-> number : x * F(qq)), 

G «— ( A qq— ► number : F(qq) * x)} 

(* *) 

sigma -sum.basis: Le mm a 

<r(*,0, F) + a(«,0,G) = ff(t, 0, ( Aqq— ► number : F(qq) + G(qq))) 

ss .basis .proof: Prove sigma sum.basis from 

sigma jix {n 0, F <- ( A qq-* number : F(qq) + G(qq))}, 
sigma_ax {n <- 0, F <- ( A qq-+ number : G(qq))}, 
sigmajix {n <— 0} 

sigma^um_step: Lemma 

<t(i, n, F) + a(i, n, G) = a(t, n, ( A qq-* number : F(qq) + G(qq))) 
D o(i,n+ l,F) + <r(«,n+ 1,(7) 

= n + 1, ( A qq-* number : F(qq) + G(qq))) 


Sigmaprops 


111 


ss_step_proof: Prove sigma_sumjstep from 

sigma_ax {n 4 - n + 1, F 4 - ( A qq-> number : F(qq) + G(qq))}, 
sigma jlx {n+-n+l, F<— (A qq— ► number : G(qq))}, 
sigma_ax {n <— n + 1}, 
predJemma 

ss.proof: Prove sigma_sum from 

induction {prop <— ( A nn— ► bool : 
c(», nn, F) + <r(t , nn, G) 

= ( Aqq-» number : F( qq) + G(qq))))}, 

sigma_sum_basis, 
sigma_sum_step {n <— i@pl} 

(* *) 

split jsigmaJbasis: Lemma < 7 ( 1 , n, F) = tr(», 0, F) + <r(t, diff(n, 0), F) 

split _basis_proof: Prove split_sigma_basis from 

sigma_ax, sigma _ax {n 0}, difLax {m <— 0}, natpos 

split .sigma-step: Lemma 

(n > m 3 er( *, n, F) = <r(», m, F) + <r(i + m, diff(n, m), F)) 
3(n>m+l 

D <7(1, n, F) = er(i, m + 1, F) + <r(t + m + 1, diff(n, m + 1), F)) 

split_step_proof: Prove split.sigma.step from 
sigma_ax {n <— m + 1}, 

sigma jev {i ♦- » + m + 1, n <- diff(n, m + 1)}, 

revsigma_ax {i «- * + m, n <— diff(n,m)}, 

sigma_rev {i <— i ' + m, n <- diff(n,m)}, 

predJemma {n «— m}, 

pred.diff, 

diff_zero, 

natpos {n ♦— m} 

split_proof: Prove split^igma from 
induction {n «— m, 
prop ♦— ( A nn— ► bool : 

n > nn D c(i, n, F) = <r(i, nn, F) + tr(t + nn, diff(n, nn), F))}, 
split_sigmaJbasis, 
split_sigmajstep {m <— i@pl} 
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(* *) 

sigma_abs_basis: Lemma 

k(i,0,F)| < <r(i',0,(Aqq-> number : |P(qq)|)) 

sa_basis_proof: Prove sigma^abs_basis from 
sigma jax {n 0}, 

sigmajax {n <- 0, F <— ( Aqq-> number : |F(qq)|)}, 
abs_ax0 

sigma_abs-step: Lemma 

k(*',n,F)| < ff(f,n,(Aqq-» number : |F(qq)|)) 

D |a(*,n + l,F)| < a(t',n + l,(Aqq-> number : |F(qq)|)) 


sa_step_proof: Prove sigma^abs-step from 
sigmajax {n <— n + 1}, 

sigmajax {n «— n + 1, F <— ( Aqq— » number : |F(qq)|)}, 

abs_ax2 {x <— F(i + n), y «- ff(», n, F)}, 

natpos, 

predJemma 

sa-proof: Prove 8igma_abs from 

induction {prop «— ( A nn— * bool : 

|<r(t, nn, F)\ < a(i, nn, ( A qq— ► number : |P(qq)|)))}, 
sigmajabs-basis, 
sigma ^abs .step {n *— i@pl} 

(* *) 

boundedJemma: Lemma 

n > 0 A bounded (t, n + 1, F, x) D bounded (»', n, F, x ) 

bounded .proof: Prove boundedJemma from 
bounded_ax {k <— k@pl}, 
bounded_ax {n <— n + 1, k <— k@pl}, 
predJemma, 
pred_ax 

sigma_bound_basis: Lemma bounded (t, 1, F,x) D a[i, 1, F) < x 
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sb_basis_proof: Prove sigmaJboundLbasis from 
bounded-ax {n «— 1, k «— *}, 
sigma_ax {n ♦- 0}, 

8igma_ax {n <— 1}, 
pred_ax {n <— 1} 

alt_sigmaJbound_step: Lemma 

n > 0 A bounded (i, n + 1, F, x) A er(i, n,F)< nxx 
D o(i,n+ 1,F) < x + n x x 

alt-sbjstep_proof: Prove alt_sigma.boundjstep from 
bounded-ax {n n + 1, k ♦- t + n}, 
sigma.ax {n «- n + 1}, 
predJemma, 
natpos 

sigma-bound-step: Lemma 

n > 0 A bounded (t, n + 1, F, x) A <r(i, n,F)< n*x 
D a(i, n + 1, F) < (n + 1) * x 

sb_step_proof: Prove sigma_boundjstep from 

alt_sigma_bound_step, mult_ax {x ♦— n, y *— a:} 

sb: Lemma n > 0 A bounded (»', n, F, x) D tr(i, n,F) <n*x 

sb_proof: Prove sb from 

mod_inductionl {A <- (Ann-* bool : bounded(i',nn, F, x)), 

B <— ( A mm-* bool : o(i, mm, F) < mm * a:)}, 
bounded Jemma {n *— j@pl}, 
sigma_bound_basis, 
sigma-bound jstep {n *— i@pl} 

sigma-bound.proof: Prove sigma-bound {k <- k@p2} from sb, bounded.ax 

(* .*) 

sigmal: Lemma a[i, n + 1, F) - F(i) + a(i + 1, n, F) 
sigmalJbasis: Lemma ct(j, 1, F) = F(i) + «r(» + 1,0, F) 
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slb-proof: Prove sigmal .basis from 
sigma-ax {n <— 0}, 
sigma^ax {i «— * + 1, n «— 0}, 
sigma-ax {n «— 1}, 
pred_ax {n <— 1} 

sigmal J3tep: Lemma 

or(i,n+ 1,F) = F(«') + <r(« + 1 ,n,F) 

D <r(t, n + 2, F) - F(i) + a(i + 1, n + 1, F) 

8ls_proof: Prove sigmal .step from 
sigma^ax {i «— t + 1, n «— n + 1}, 
sigma-ax {n <— n + 2}, 
predJemma, 

predJemma {n <— n + 1}, 
natpos 

sigmal -proof: Prove sigmal from 
induction {prop «— ( A nn— ♦ bool : 

er(i, nn + 1, F) = F(i) + cr( i + 1, nn, F))}, 
8igmal_basis, 
sigmaljstep {n <— i@pl} 

(*- *) 

sigma_rev .basis: Lemma <7(1,0, F) = revsigma(t,0, F) 

srb_proof: Prove sigma-rev.basis from 

sigma_ax {n <— 0}, revsigmajix {n <— 0} 

sigma-rev .step: Lemma 

( V il: <r(il, n, F) = revsigma(il, n, F)) 

D (Vi2: <r(i2,n + 1, jP) = revsigma(i2, n + 1,F)) 


srp-proof: Prove sigma-rev .step {il <— i2 + 1} from 
revsigmajix {i •* — i2, n •« — n + 1}, 
sigmal {i <— i2}, 
predJemma, 
natpos 
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sigma_rev_proof: Prove sigma_rev from 
induction2 {il il@p3, 
i3 <- 1, 

prop2 <— ( A i, mi— » bool : <r(i, nn, F) = revsigma( *>nn, F))}, 
sigma_rev .basis {i «— iO®pl}, 
sigma_rev .step {i2 4 - i2@pl, n <— j@pl} 

End sigmaprops 
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time: Module 
Using arithmetics 

Exporting clocktime, realtime, period, R, S, T°, T^\ *1 € f?(* 2 ), 

★ 1 € S(* 2 ) with arithmetics 

Theory 

clocktime: TYPE IS number 
realtime: TYPE IS number 
period: TYPE IS nat 

R, S: clocktime (* Synchronizing periods *) 
posR: Axiom 0 < R 

posS: Axiom 0 < S 

Cl: Axiom R>Z*S 

SinR: Lemma S < R 

i : VAR period 

Tl* 1 ): function [period — » clocktime] 

T°: clocktime 

T-sup_ax: Axiom TW = T° + i * R 
Tjiext: Lemma T< <+1 ) = TW + R 
T, Ti, T 2 , II: VAR clocktime 

*1 G function [clocktime, period — ► boolean] 

Rdef: Axiom T € fjW = (3n:0<nAn<i?AT = TW + n) 

Ti in_R: Lemma I'M G BW 

*1 G function [clock time, period — *■ boolean] 

Sdef: Axiom T € = (3II:0<nAn<SAT = TW + R - S + II) 

inRS: Lemma T G sW D T G JlCO 
TiinJS: Lemma T(’ +1 ) G S(') 

in_S Jemma: Lemma T\ G A T 2 G SM D |7i - T 2 I < S 
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Proof 

SinR.proof: Prove SinR from Cl, posS, posR 

TLproof: Prove Tiin_R from Rdef {T «— TW, II *— 0}, abs_ax0, posR 

inRS .proof: Prove inRS from Sdef, Rdef {II <— R — S + II@pl}, SinR 

T_next_proof: Prove T_next from Tjsupjix, Tjsup_ax {i ♦— * + 1} 

Ti .in _S .proof: Prove Tiin_S from 

Sdef {II <- S, T ♦- r( i+1 )}, posS, Tjiext 

in _S_proof: Prove in.S Jemma from 
Sdef {T <— Ti}, 

Sdef {T <- Ti}, 

abs.ax5 {x «— II@pl, y *— n@p2, z <— S} 

End time 
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clocks: Module 
Using time 

Exporting proc, e*i(*2),p, C^, j 4^ 2 ^(*3), c^ 2 ^(*3), nonfaulty 
with time 

Theory 

proc: TYPE IS nat 
p: VAR proc 

c*i(*2): function [proc, clocktime — ► realtime] 
c[j 2 ); function [proc, period — ♦ clocktime] 

zero_correction: Axiom Cp ° ^ = 0 
i: VAR period 

T,To,Ti,T 2 ,Tff. VAR clocktime 

Ai* 2) (*3): function [proc, period, clocktime — ► clocktime] = 

( A p, i, T— ♦ clocktime : T + Cp^) 
c li^(*3) : function [proc, period, clocktime — * realtime] 

clockdef: Axiom c^(T) = c p (A^(T)) 

goodclock: functionjproc, clocktime, clocktime — ► bool] 
p : number 

rho-pos: Axiom £ > 0 

rhojsmall: Axiom f < 1 

gc_ax: Axiom 

goodclock(p, To, Tff) 

= (VT 1s T 2 : 

To < Tj A To < T 2 A T\ < Tff A T 2 < Tjy 

^ \c P (Ti) - c p (T 2 ) - (T x - T 2 )| < f x |Tj - T 2 |) 


monotonicity: Theorem 

goodclock (p, To, Tat) A T 0 < Ti A T 0 < T 2 A T x < T N A T 2 < T N 
D (Ti > T 2 D Cp(Ti) > c p (T 2 )) 


nonfaulty: function [proc, period — ♦ boolean] 
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Al: Axiom nonfaulty(p, ») = goodclock(p, A^(T( 0 )), A^(T(* +1 ))) 

Proof 

x , y: VAR number 

diminish: Lemma x>0l>|xx<x 

diminish_proof: Prove diminish from 
mult_mon {x <— y <— 1, z <— x}, 
rhojsmall, 

mult_ax {x 1, y ■«— x} 

monoproof: Prove monotonicity from 
gc-ax, 

diminish {x ♦- |7i - T 2 I}, 

abs-ax {a <- c,(Ti) - c p (T 2 ) - (T x - T 2 )}, 

abs_ax {a <— T\ - T 2 } 

End clocks 
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algorithm: Module 
Using clocks, sums 

Exporting E, A, a£ 2) , aJjJj, A<$ 2 , skew, S1A, SIC, S2, 6, e, 6 0} 
n, m with clocks 

Theory 

T,To,Ti,X,U: VAR clocktime 
»: VAR period 
p, q, r : VAR proc 

A*j 2 ^: function[proc, period — ♦ clocktime] 

A A^] 2 : function [proc, proc, period — ♦ clocktime] 
m, n: proc 
e,6o,6: realtime 
E, A: clocktime 

C0_a: Axiom n > 0 

C0_b: Axiom 0 < m A m < n 

C0_c: Axiom A > 0 

C2: Axiom S > E 

C3: Axiom E > A 

C4: Axiom A>£+e+£xS 

C5: Axiom 6 > So + p * R 

C6: Axiom 6 

>2*(c + p*5) + 2*m* A/(n — m) + n* p* R/(n — m) + p * A 
+ n * p * E/(n - m) 

C2and3: Lemma A < S 
Algl: Axiom = Cp^ + A^ 

Alg2: Axiom A^ = 0" ( A r-» number : A^) 

Alg3: Axiom A$ = if r^pA |A^| < A then Arp else 0 end if 
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clock-prop: Lemma c£ +1 ^(T) = c^(T + A^) 

D2bar_prop: Lemma |Ap]| < A 

skew: function[proc, proc, clocktime, period — ► clocktime] = 

( A p, q, T, i— ► clocktime : |cp ^(T) — 4^(T)|) 

SI A: function [period — ► bool] 

SlAdef: Axiom SlA(t) = ( Vr: (m + l<rAr<n)l) nonfaulty(r, *)) 

SIC: functionfproc, proc, period — ► bool] 

SICdef: Axiom 
SlC(p,g,t) 

= (nonfaulty(p, i) A nonfaulty (g, i) AT E D skew(p, g, T, i) < 6 ) 

SIC Jemma: Lemma SlC(p, q,i) D SlC(g,p,t) 

S2: function [proc, period — ► bool] 

S2_ax: Axiom S2(p,t) = (|c£’ +1 ^ - C^\ < E) 

AO: Axiom skew(p, q, T(°), 0) < So 

A2: Axiom nonfaulty(p, *) A nonfaulty (g, i) A SlC(p, g, *) A S2(p, *) 

D l^?p| ^ & 

A ( 3 To : T 0 € 5W A |4°(To + A$) - 4° (To) I < e) 

A2_aux: Axiom A pp = 0 

Theorem.l: Theorem SlA(t) 3 SlC(p, q,i) 

Theorem_2: Theorem S2(p,») 

Proof 

C2and3_proof: Prove C2and3 from C2, C3 

clock .proof: Prove clock .prop from 

clockdef {T «— T + ApO}, clockdef {i ♦— t -f 1}, Algl 

D2bar_prop-proof: Prove D2bar.prop from 
Alg3 {r <— p, p <— g}, C0.c, abs_ax0 
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SlC_lemma_proof: Prove SICJemma from 
SICdef, 

SlCdef {p <- q, q «- p}, 

abs_ax4 {x «— c^(T@pl), y <— Cp^(T@pl)} 

Theorem_2_proof: Prove Theorem.2 from 
S2-ax, 

Algl, 

D2bar_prop {p ♦— pp@p7, q «— p}, 

Alg2, 

CO^a, 

COjc, 

mean-bound {i ■« — 1, 

j «-», 

x *- A, 

F «— (Ar— > number : |A^|)}, 
abs-mean {i <— 1, j «— n, F <— ( A r— ► number : Arp)}, 
C3 


End algorithm 
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clockprops: Module 

Using clocks, algorithm, natinduction 

Theory 

T, To, T\, T 2 , Tn, II: VAR clocktime 
p, q: VAR proc 
1 : VAR period 

upper-bound: Lemma 

t e 5(0 a |n| < r - s d Ap ] (T + n) < a£ +1) (t(‘ +2 )) 

lower-bound: Lemma 0 < II D a{, 0) (T( 0 )) < A^TW + n) 
lower J>ound2: Lemma 

T € 5(0 A |n| < R - S D Aj, 0) (T(°)) < aP(T + II) 
adj_always_pos: Lemma Ap^(T(0) > T° 
nonfx: Lemma nonfaulty(p, t + 1) D nonfaulty(p, 1) 
SlAJemma: Lemma S1A(« + 1) D S1A(») 

Proof 

i2R: Lemma T(*'+ 2 ) = T« + 2 *R 

i2R.proof: Prove i2R from Tjsup_ax {i <— * + 2}, T_sup_ax 

upper_bound_proof: Prove upper-bound from 
Sdef, 
i2R, 

abs_ax6 {x II, y «— R — S}, 

S2_ax, 

Theorem J, 

abs.ax6 {x <— Cp‘ +1 ^ - Cp\ y <— E}, 

C2 

basis: Lemma Ap°^(T( 0 )) > T° 
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basis_proof: Prove basis from zero_correction, T-sup.ax {i <— 0} 

small .shift: Lemma Cp +1 ^ - Cp ^ > -R 

smalljshift-proof: Prove small-shift from 

S2^ax, Theorem abs^ax {a *— Cp i+1 ^ - C^}, C2, SinR 

inductive jstep: Lemma A^(TW) > T° D Ap +1 ^(T(* +1 )) > T° 

ind.proof: Prove inductive jtep from small -shift, T_next 

adj-pos-proof: Prove adj-always-pos from 

induction {n <— prop <— ( Ai— > bool : Ap^(TW) > T 0 )}, 
basis, 

inductivejstep {i «— i@pl} 

lower Jaound-proof: Prove lowerJbound from 

adj_always.pos, Tj3up_ax {i •«— 0}, zero_correction 

lower _bound2_proof: Prove lower Jbound2 from 

lower-bound {II «- T - + II@c}, Sdef, abs-ax {a <— II}, SinR 

gc_prop: Lemma 

goodclock(p, To, Tn) ATo<T AT <T n D goodclock (p,T 0 ,T) 

gc-proof: Prove gc_prop from 

gc-ax {Tj «- Ti@p2, T 2 T 2 @p2}, gc_ax {T N <- T) 

bounds: Lemma 

a ( p\tW) < Aj,‘ ) (r(‘+ 1 )) 
a aJ 0 (t(' +1 )) < a{ , ' +1) (t( , ' +2 )) 


bounds_proof: Prove bounds from 

upper-bound {II «— 0, T +- T( ,+1 )}, 
lower_bound2 {II *— 0, T <— T( ,+1 )}, 
abs_ax0, 

SinR, 

TiJn-S 
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nonfx.proof: Prove nonfx from 
A1 {i «- t + 1}, 

Al, 

gc.prop {T 0 «- A ( P 0) (T(°)), 

T n «- A? +1) (T( ,+2 )), 

t ♦- 4’*)(r ( *' +1) )}, 

bounds 

SlAJemma.proof: Prove SlAJemma from 

SlAdef, SlAdef {i ♦- * + 1, r «- r@pl}, nonfx {p ♦- r@pl} 

End clockprops 
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lemmal: Module 

Using algorithm, lemma2 

Theory 

p, q: VAR proc 
i: VAR period 

lemmaldef: Lemma 

SlC(p, q, t) A S2(p, i) A nonfaulty(p, » + 1) A nonfaulty(g, »' + 1) 
=> |A«| < A 


Proof 

lemmal_proof: Prove lemmaldef from 

A2, 

lemma2c {II <— T <— To@pl}, 

SICdef {T <- To@pl}, 

abs_ax4 {x +- c^fToQpl), y <- ^(ToQpl)}, 

abs_ax4 {x ♦- ^(ToQpl + II@p2), y ♦- ^(ToQpl) + II@p2}, 

abs_ax2b {x ♦- y@p5 - x@p5, y ♦- y@p4 - x®p4, z «- x @p5 - y@p4}, 

nonfx, 

nonfx {p «— q), 

inRS {T i- 7b@pl}, 

mult4 {x 4 - §, y «- |A$|, z ♦- 5}, 

rho-pos, 

C4 


End lemmal 
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lemma2: Module 

Using algorithm, clockprops 

Theory 

p, q, r: VAR proc 
*: VAR period 
T: VAR clocktime 
II, VAR realtime 

lemma2def: Lemma 
nonfaulty(p, » + 1) 

A A^(T) < 4 ,+1) (T(*'+ 2 )) 
a aJ 0) (t(°)) < 

a a^(t + n) < 4 <+1 ) (t( ,+2 )) 
a a1 0) (t(°)) < Ap\t + n) 

D |4°(T + n) - ( C W(T) + n)| < $ X |n| 


lemma2a: Lemma 

nonfaulty(p, i + 1) A |II + $| < R - S A |$| < /? - S A T G 5 W 

d | c{°(r + $ + n) - + *) + n)| < * x |n| 


lemma2b: Lemma 

nonfaulty(p, i + 1) A |$| < S A |II| < S A T G S(0 
D I 4°(t + * + n) - (4°(T + $) + n)| < f X |n| 

lemma2c: Lemma 

nonfaulty(p, i + 1) A |TT| < S A T G SM 

=> | 4°(t + n) - (4°(t) + n)| < £ x |n| 


lemma2d: Lemma 

nonfaulty(p, i)A0<IlAn<i? 

d |cj°(rw + n) - (4 f) (TM) + n)| < I x n 


i 


I 


I 
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Proof 

lemma 2 .proof: Prove lemma2def from 
A 1 {i «— i + l}, 
gcjsx {T 0 <- Aj, 0 ) (T (0) ), 

T n «- A? + 1 ) (T('+ 2 )), 

t 2 - 4°cn, 

T\ <— Ap ] (T + n)}, 

clockdef, 

clockdef {T <— T + 11} 

lemma 2 a-proof: Prove lemma2a from 
lemma2def {T T + $} , 
upper-bound {IT <— $ + II}, 
lowerJbound 2 {!!<—$> + II}, 
upper-bound {II 
lower_bound2 {II ♦- $} 

lemma 2 b_proof: Prove lemma2b from 

lemma 2 a, abs_axl {x +- II}, abs-ax 2 {x <— $, y ♦- II}, Cl, posS, posR 

lemma 2 c_proof: Prove lemma2c from lemma2b {$ ♦— 0}, abs_ax0, posS 

lemma 2 d_proof: Prove lemma2d from 
Al, 

gc-Ax {To - A{, 0 ) (r(°)), 

t n <- 4 i) (r(<+ 1 )), 

T\ <- aP(tW + n), 
t 2 «- aP(tU)}, 

clockdef {T — r«}, 
clockdef {T 4 - TM + n}, 
posR, 

pos_abs {x <— FI}, 
lower .bound, 
lower .bound {II «— 0}, 

T_next 


End lemma2 
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lemma3: Module 

Using algorithm, lemma2 

Theory 

p, q : VAR proc 
*': VAR period 
T, To,Ti,T2' VAR clocktime 
II: VAR realtime 

lemma3def: Lemma 
SlC(p,9,i) 

A S2(p, *) A nonfaulty(p, * + 1) A nonfaulty(g, » + 1) A T G S® 
D |4 ° (T + A $) - Cq\T) \<€ + p*S 


Proof 

lemma3 .proof: Prove lemma3def from 
A2 > 

rearrange jilt {x <— c^(T + A $), 
y 4- 4°(T), 
u 4- Cp ) (To@pl + A$), 
v 4— T - T 0 @pl, 
w 4- cJ’^ToiSpl)}, 

lemma2b {T 4- T 0 Opl, $ 4- A$, n 4 - T - T 0 ®pl}, 
lemma2c {p +- q, T 4- T 0 ®pl, II 4- T - T 0 @pl}, 
nonfx, 

nonfx {p 4— g}, 

mult4 {x 4- y 4- \T - T 0 @pl|, z 4- 5}, 
rho.pos, 

half3 {x 4- p, y 4 - S}, 

mult^ax {x ♦- p, y 4— 5 }, 

in_S Jemma {2j 4— T, T2 4— To®pl} 

End lemma3 
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lemma4: Module 

Using algorithm, lemmal, lemma2, lemma3 

Theory 

p, q, r : VAR proc 
*: VAR period 
T : VAR clocktime 

lemma4def: Lemma 
SlC(g,r,i) 

A SlC(p, q,i) 

A SlC(p, r, ») 

A S2(p, i) 

A S2(g,i) 

A S2(r, i) 

A nonfaulty(p, * + 1) 

A nonfaulty(g, » + 1) A nonfaulty(r, i+l) AT G S W 
d |cp^(T) + A W - (4°(T) + Ar'])| <2*(e + p*S+|xA) 


Proof 

Tq,T\,T^: VAR clocktime 

II: VAR realtime 

u, v, xv, x, y, z : VAR number 

rearrangel: Lemma x - y = (u - y) - (v - x) + (v - tt;) - (xi - xv) 

rearrangel_proof: Prove rearrangel 

rearrange2: Lemma 

|(« - y) - (v - *) + (v - xv) - (u - u;)| 

< |u - y| + |v - x\ + |v - U)| + |u - w| 


rearrange2_proof: Prove rearrange2 from 

abs_ax2c {w < (u y), x <— (x - v), y (v - u;), z <— (tt; - u)}, 
abs_ax3 {x <— (v — x)}, 
abs_ax3 {x <— (u — it;)} 

rearrange3: Lemma \x — y| < |u — y| + \v — x\ + |v - ti/| + |u — tt;| 
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rearrange3 .proof: Prove rearranges from rearrange 1, rearrange2 
sublemmal: Lemma 

SlC(p, r, i) A S2(p, ») A nonfaulty(p, t ' + 1) A nonfaulty(r, » + 1) 

= a!? = a!? 

sublemmal .proof: Prove sublemmal from lemmaldef {q <— r}, Alg3, 
A2_aux 

lemma2x: Lemma 
SlC(p, r,») 

A S2(p, *) A nonfaulty(p, * + 1) A nonfaulty(r, t + 1 ) A T £ £(’) 

=> 1 4°(r + *8) - (4°(r) + Arp) | < f x a 


lemma2x .proof: Prove lemma2x from 
lemma2c {II *- Arp}, 
lemmaldef {q <— r), 

C2and3, 

mult4 {x ♦ 2 ’ y * l A $l> z ♦“ A}, 
rho.pos 

lemma4_proof: Prove lemma4def from 
rearranges {x <- c^(T) + A$, 
y-4°(T) + A^, 
u^cf^T + A^), 

v «— Cp)(T + Arp), 
w «- cP(T)}, 
sublemmal, 
sublemmal {p «— g}, 
lemma2x, 
lemma2x {p <— q}, 
lemma3def {q «— r}, 
lemma3def {p *— q, q <— r}, 

SIC Jemma 


End lemma4 
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lemma5: Module 

Using algorithm, clockprops 

Theory 

p, q, r: VAR proc 
T : VAR clocktime 
i,j: VAR period 

lemma5def: Lemma 

SlC(p, q, i) A nonfaulty(p, i + 1) A nonfaulty (q, i + 1) A T € S W 
D \4 i} (T) + - (4°(T) + A$)| < 6 + 2 * A 


Proof 

c, b, x, y : VAR clocktime 

rearranged Lemma (o + a:) — (6 + y) = (a - b) + * - y 
rearrangel_proof: Prove rearrangel 

rearrange2: Lemma |(a + x) - (6 + y)| < |a - b\ + |x| + |y| 

rearrange2_proof: Prove rearrange2 from 

rearrangel, abs_ax8, abs.ax2 {x «— (a - b), y «— (x - y)} 

lemma5proof: Prove lemma5def from 
rearrange2 {a <— Cp^(T), 

b-cfV), 

X <- Arp, 

y <- A$}, 

D2bar_prop {p <— r, q <— p}, 

D2bar_prop {p <— r, q «— ?}, 
inRS, 

SICdef, 

nonfx, 

nonfx {p <— q} 


End lemma5 
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lemma6: Module 

Using algorithm, clockprops, lemma2 

Theory 

p, q: VAR proc 
*: VAR period 
T, II: VAR clocktime 

sublemma-A: Lemma 

nonfaulty(p, i) A nonfaulty(g, ») A T G R(’) 

D skew(p, q, T , *) < skew(p, q, TW, i) + p* R 


lemma6def: Lemma 

nonfaulty(p, » + 1) A nonfaulty(g, * -f 1) A T e R(’ +1 ) 
D skew(p, q, T, i + 1) 

< |cj, (T (<+1 )) + aJP - (4°(t( <+1 )) + a} 0 )! 

+ p*I? + p*S 


Proof 

sublemmal: Lemma 0<IlAlI<RD2*|xII<p*Jf2 

subl .proof: Prove sublemmal from 
mult2 i?>, 

times Jialf {x *- p}, 
mult4 {x < — y < — II, z 4 — R}, 

rho.pos, 

mult_ax {x «— p, y *— R } 

sub_A_proof: Prove sublemmal. from 
Rdef, 

rearrange Jilt {x •<— Cp’^(T), 

y - 4°cn, 

u 4- 

v «— n@ P i, 

w 4 — eW(TW)}, 
lemma2d {II 4— II@pl}, 
lemma2d {p 4— q } n 4- n@pl}, 
sublemmal {II 4— n@pl} 
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sublemma2: Lemma 

skew(p, q y T,i+ 1) = ^(T + A* 0 ) - $\t + aJ 0 )| 
sub2_proof: Prove sublemma2 from clock .prop, clock.prop {p <— q} 

lemma6 .proof: Prove lemma6def from 
sublemma-A. {i <— i + 1}, 
sublemma2 {T <— T(‘ +1 )}, 
rearrange {x <— c W( T (.+ i ) + 
y <— 4' ) (T (,+1) + A, } ), 
u <- c? ) (T( < +»)), 
v «- aJ, 0 , 

w — 4 °(t ( ’ +1) )> 

z <- a5* } }, 

lemma2c {T <— T(* +1 ), II «— Ap^}, 

lemma2c {T — T^ i+1 \ n — A^, p <- q), 

Aigl, 

Algl {p <- q}, 

S2_ax, 

S2-ax {p <- q}, 

Theorem J2, 

Theorem_2 {p <— q), 

mult4 {x <- l , y +- |aJ,* ) |, z <- E}, 

mult4 {x <- f, y <- |a5* } |, z <- E}, 
rho_pos, 

TiinJS, 

C2, 

half3 {x p, y «— E}, 
mult_ax {x * — p, y < — E} 

End lemma6 
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summations: Module 

Using algorithm, sums, lemma4, lemma5, lemma6 

Theory 

p, q , r: VAR proc 
T : VAR clocktime 
«: VAR period 

culmination: Lemma 

SlA(t + 1) A SlC(p, q , ») 

D (nonfaulty(p, « + 1) A nonfaulty(g, i + 1) A T £ 

D skew(p, q, T, i + 1) 

<((£ + 2*A)*m + 2*(p*S’ + e+ £xA)*(n- m))/n 
+ p * R + p * E) 

Proof 

11: Lemma | C W(J , (‘+ 1 )) + - (c^(T(’ +1 )) + A^)| 

— ©i ( A r— » number : 

|4°(T('+1)) + Ag - (4* , (T(‘ +1 )) + Arg)|) 

12: Lemma |4°(T (<+1) ) + a{° - (4 <) (T(* +1 )) + A$ $) )| 

< (ST l ( A r— ► number : 

| C (* ) ( T (,+ 1 )) + a« _ (4*')( T (.+1)) + aW)|) 

+ Em+i( A r— ► number : 

| C W( T (,+ 1 )) + a W _ ( 40 (r «+i) ) + aW)|)) 

/» 

13: Lemma S1A(» + 1) 

A SlC(p, q, *) A nonfaulty(p, » + 1) A nonfaulty(g, « + 1) 

D Hr ( A r — * number : 

| c (0( T (i+i)) + A W _ ( 40 ( T «+ 1 )) + A^)|) 

< (6 + 2 * A) * m 


I 
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14: Lemma SlA(t + 1) 

A SlC(p, q, »') A nonfaulty(p, i + 1) A nonfaulty(g, » + 1) 

D Em+i( A r— > number : 

| C (0( T (.+1)) + Ag - (4‘)( T (,+ 1 )) + Ag)|) 
<2*(p*S + e + | X A) * (n - m) 

15: Lemma SlA(i + 1) 

A SlC(p, q, i) A nonfaulty(p, i + 1) A nonfaulty(9, * + 1) 

3 |4 ,) (T(*+ 1 )) + Ag - ( C f ) (T(‘+ 1 )) + A«)| 

<((£ + 2*A)*m + 2*(p*S + e+ £xA)*(n- m))/n 


ll_proof: Prove 11 from 
Alg2, 

Alg2 {p *-q}, 

rearrangejsum {x «— C (0( T (.+ 1 )) > 
y - 4‘)( T (,+l)) > 

F ♦— (Ar— ► number : Arp), 

G <— ( A r— ► number : A g), 
i <- 1, 

j 

absjnean {i <— 1, 

j «, 

F ♦- ( A r— ► number : x@p3 + Ag - (y@p3 + Ag))}, 
CO-a 

12_proof: Prove 12 from 

11 , 

split-mean {i «— 1, 
j <- n, 
k *— m, 

F <— ( A r— ► number : 

|4°(T ( ‘ +1 >) + *g - (cJ°(T (<+1) ) + Ag)|)>, 

CO_a, 

C0_b 
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bound_faulty: Lemma 

SlA(t + 1) A SlC(p, q, i) 

Al<rAf <mA nonfaulty(p, * + 1) A nonfaulty(g, i + 1) 

d l4‘ ) (r(‘+ 1 )) + Ag - (4 °(t(‘ +1 )) + A$)| 

< 8 4- 2 * A 

bound_faulty .proof: Prove bound-faulty from 
lemma5def {T +- Tiin-S 

l3.proof: Prove 13 from 

sum-bound {F <— ( A r— ► number : 

| C (« ) ( T (,+1)) + A (0 _ ( C (‘)(T(*+1)) + Arg)|), 

x *— 6 + 2 * A, 

i 

j «- ™}> 

bound-faulty {r «— pp@pl}, 

C0.b 

S2.pqr: Lemma S2(p, *) A S2 (g, i) A S2(r, ») 

S2_pqr_proof: Prove S2_pqr from 

Theorem_2, Theorem_2 {p *— q), Theorem_2 {p <— r} 

bound_nonfaulty: Lemma 
SlA(t + 1) A SlC(p, q, i) 

Am+l<rAr<nA nonfaulty(p, i + 1) A nonfaulty(g, * + 1) 

d l4‘ ) (r (i+l) ) + a $ - (4 ,) (r ( *' +1) ) + Ar j)| 

<2*(p*S + e+ fxA) 
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bound .nonfaulty .proof: Prove bound_nonfaulty from 
SlAdef {i <— i + 1}, 

S1A Jemma, 

SlAdef, 

nonfx, 

nonfx {p «— 9}, 

Theorem_l {q *— r}, 

Theorem.l {p <— 9, q ♦- r}, 

S2_pqr, 

lemma4def {T <- r(‘ +1 )}, 

Tiin_S 

Unroof: Prove 14 from 

sum_bound {F «— ( A r— ► number : 

| C W (T (, + 1)) + Ag - (4*>(3T(<+1>) + A (0)|), 

x*— 2* (p*S + e + % xA), 

i <- m + 1, 

j <- »}> 

bound_nonfaulty {r «— pp@pl}, 

CO_b 

l5_proof: Prove 15 from 

12 , 

13, 

14, 

div_mon2 {x «— A r— ♦ number : 

| C (« ) ( T (,+ 1 )) + A (0 _ (4‘)(T(‘' +1 )) + Ar«)|) 

+ Em+i( a r-» number : 

| c W( T (.+x)) + A« _ (4’)(7 1 (‘+i)) + Arg)|), 
y<-(f + 2 «A)*tn + 2*(/i*S + f+^xA)*(n- m), 
z <- n}, 

CO_a 

culm_proof: Prove culmination from lemma6def, 15, SlAdef {i *— i + 1} 
End summations 
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juggle: Module 
Using algorithm 
Theory 

rearrange_delta: Lemma 

8>2*(e + p*S)+2*m* A /(n — m) + n * p * R/(n — m) 

+ p* A 

+ n * /> * E/(n - m) 

D £ > ((£ + 2 * A) * m + 2 * (e + p * S + § x A) * (n - m))/n 

p * R 

+ /> * E 


Proof 

a, 6, bl, b2, b3, b4, b5, b6, c, x, y: VAR number 

distrib6: Lemma 

(bl + b2 + b3 + b4 + b5 + b6) * c 

= bl*c + b2*c + b3*c + b4*c + b5*c + b6*c 


distrib6_proof: Prove distrib6 

distrib6_mult: Lemma 

(bl + b2 + b3 + b4 + b5 + b6) x c 

= blxc + b2xc + b3xc + b4xc + b5xc + b6xc 

distrib6_mult.proof: Prove distrib6_mult from 
distrib6, 

mult_ax {x <— bl 4- b2 4- b3 + b4 4- b5 + b6, y «— c}, 

mult_ax {x <— bl, y «— c}, 

mult^ax {x <— b2, y «— c}, 

mult_ax {x <— b3, y <— c}, 

mult^ax {x <— b4, y «— c}, 

mult_ax {x +— b5, y *— c}, 

mult_ax {x <— b6, y «— c} 

multJneql: Lemma 

o ^ bl 4* b2 4 b3 4 b4 4~ b5 A c > 0 

Daxc>blxc4-b2xe4-b3xc4-b4xc4-b5xc 


I 
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mult -ineql_proof: Prove multineql from 
distrib6_mult {b6 <— 0}, 

mult_mon2 {x <— bl + b2 + b3 + b4 + b5, y *- a, z <- c}, 
mult_ax {x « — 0, y « — c} 

distrib6_div: Lemma 

c > 0 D (bl + b2 + b3 + b4 + b5 + b6)/c 

= bl/c + b2/c + bZ/c + b4/c + b5/c + b6/c 

reciprocal: Lemma y ^ 0 D x x 1/y = x/y 

reciprocaLproof: Prove reciprocal from 
quotient ^ax, mult_ax {y <— 1/y} 

distrib6_div_proof: Prove distrib6_div from 
distrib6_mult {c <— 1/c}, 

reciprocal {x <- bl + b2 + b3 + b4 + b5 + b6, y <- c}, 

reciprocal {x <— bl, y <— c}, 

reciprocal {x +- b2, y <— c}, 

reciprocal {x «- b3, y <— c}, 

reciprocal {x <— b4, y <— c}, 

reciprocal {x <— b5, y c}, 

reciprocal {x <— b6, y <— c} 

cancel_mult: Lemma c>0Aaxc>bDa> b/c 

cancel_mult_proof: Prove cancel_mult from 
div_mon2 {z «— c, x <— b, y *- a X c}, 
cancellationjnult {x «— a, y <— c} 

mult _ineq2: Lemma 

c > 0 A a X c > bl + b2 + b3 + b4 + b5 + b6 

D o > bl /c + b2/c + b3/c + b4/c + b5/c + b6/c 

multaneq2_proof: Prove mult Jneq2 from 

cancel_mult {b ■<— bl + b2 + b3 + b4 + b5 + b6}, distrib6.div 

distrib4_div: Lemma 

c > 0 D bl /c + b2/c + b3/c + b4/c = (bl + b2 + b3 + b4) /c 
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distrib4^div_proof: Prove distrib4jdiv from 
distrib6_mult {b5 «— 0, b6 *— 0, c «— 1/c}, 
reciprocal {x <— bl + b2 + b3 + b4, y *— c}, 
reciprocal {x <— bl, y <— c}, 
reciprocal {x «— b2, y <— c), 
reciprocal {x *— b3, y <— c}, 
reciprocal {x <— b4, y <— c}, 
mult_ax {x <— 0, y «— 1/c} 

stepl: Lemma 

6>2*(e + p*S) + 2*m* A /(n — m) + n * p * R/(n — m) 
+ p * A 

+ n* p* E/(n — m) 

D 8 x n - m 

>2*(e + p*S)xn-m + 2*m*A + n*p*R + p*Axn-m 
+ n * p * S 


stepl.proof: Prove stepl from 
mult ineql {a <— 6, 
c *— n — m, 
bl <— 2 * (c + p * S), 
b2 4— 2 * m * A/(n - m), 
b3 <— n * p * R/(n - m), 
b4 <— p * A, 

b5 *— n * p * E/(n — m)}, 
mult-div {x<— 2*m*A,y<— n- m}, 
mult_div {x «— n* p* R,y <— n — m}, 
mult_div {x <— n * /> * E, y <— n — m}, 

C0_b 

step2: Lemma 

Sxn — m>2*(e + p*S)xn — m + 2*m*A + n*p*R 
+ p * A X n — m 
+ n * p * E 

D^xn>fxm + 2*(e + p*S)xn-m + 2*m*A + n*p*fi 
+ p * A x n — m 

+ n * p * 
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step2_proof: Prove step2 from 
mult_ax {x <— 6, y <— n — m}, 
mult-ax {x <— 6, y <— n}, 
mult_ax {x < — 6, y < — m} 

step 3: Lemma 

f xn>i xm + 2*(e + ^*S)xn-m + 2*m*A + ii*/)*U 
+ p*Axn-m 
+n*p*E 

D S > 6 x m/n + 2*(e + p*S)xn - m/n + 2 * m * A/n + p * R 
+ p * A x n - m/n 
+ p * S 

step3_proof: Prove step3 from 
mult_ineq2 {a <— 6, 
c <— n, 
bl <— £ x m, 

b2 <— 2 * (e 4- * S) x n - m, 
b3 <— 2 * m * A, 
b4 ♦— n * p * ii, 
b5<— p * A X n — m, 
b6 *— n * p * S}, 

cancellation {x <— p * R, y <— n}, 
cancellation {x <— p * E, y n}, 

CO_a 

step 4: Lemma 

6 > 6 x m/n + 2*(e + p*S)xn — m/n + 2*m*A/n + p*R 
+ p * A x n - m/n 
+ p * E 

D 6 > ($xm + 2*(e + p*S')xn — m + 2 * m * A + /> * A x n — m)/n 

+ p * R 

+ p* £ 
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step4_proof: Prove step4 from 
CO .a, 

distrib4jdiv {c *— n, 
bl *— 6 x m, 

b2 «— 2 * (e + p * S) x n — m, 
b3 «— 2 * m * A, 
b4<-p*Axn - m} 

step5: Lemma 

S > (6 x m + 2 * (e + p * S) x n — m + 2 * m * A + p * A x n — m)/n 

+ p * R 

+ p * S 

D 5 > ((5 + 2»A)*m + 2*(f + /)*S + i x A)*(n- m))/n 

+ p* R 

+ p* S 

step 5. pro of: Prove step5 from 
mult_ax {x <— 6, y *- m), 
mult_ax {x<— p*A,y<— n - m}, 
mult_ax {x^-2*(e + ^*S),y<-n - m}, 
half3 {x <- p, y «- A}, 
mult^ax {x <— p, y *— A} 

final: Prove rearrange.delta from stepl, step2, step3, step4, step5 
End juggle 
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main: Module 

Using natinduction, algorithm, lemma6, summations, juggle 
Proof 

p, q, r: VAR proc 
i,j,k : VAR period 
T: VAR clocktime 

basis: Lemma S1A(0) D SlC(p,g,0) 

basis_proof: Prove basis from 

SlAdef {i <— 0}, sublemma_A. {i «— 0}, SICdef {i <— 0}, AO, C5 

ind-step: Lemma SlA(i + 1) A SlC(p, q, t) D SlC(p, q, i + 1) 

ind_proof: Prove indjstep from 

culmination, rearrange_delta, SICdef {i <— t + 1}, C6 

Theorem_l .proof: Prove Theorem_l from 
basis, 

ind-step {i «— i@p3}, 
mod induction {n <— i, 

A <— (Ak— ► bool : SlA(k)), 

B *— (Ak— ► bool : SlC(p,g,A:))}, 

SlAJemma {i j@p3} 


End main 


Appendix C 

Proof-Chain Analysis 


This Appendix reproduces the output from the EHDM Proof Chain Analyzer 
for the two Theorems proved in the specification. 


C.l Clock Synchronization Condition S2 

The proof chain for Theorem_2 in the specification is given below in full. It 

can be seen that the proof chain is complete. 

Proof chain for formula Theorem_2 in module algorithm 

algorithm . Theorem_2 

is the conclusion of the proof 
algorithm . Theorem_2_proof 

Proof algorithm. Theorem_2_proof (which is PROVED) establishes 
algorithm . Theorem_2 

Its premises are: 
algorithm. S2_ax 
algorithm.Algl 
algorithm . D2bar_prop 
algorithm. Alg2 
algorithm. CO_a 
algorithm. CO_c 
sums . mean.bound 
sums . abs_mean 
algorithm. C3 
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algorithm . S2_ax 
is an axiom 

algorithm. Algl 
is an axiom 

algorithm . D2bar_prop 

is the conclusion of the proof 
algorithm . D2bar_prop .proof 

Proof algorithm. D2bar .prop .proof (which is PROVED) establishes 
algorithm . D2bar_prop 

Its premises are: 
algor ithm.Alg3 
algorithm. CO.c 
absolutes . abs.axO 

algor ithm.Alg3 
is an axiom 

algorithm. C0_c 
is an axiom 

absolutes . abs.axO 

is the conclusion of the proof 
absolutes . abs.proof 0 

Proof absolutes .abs_proofO (which is PROVED) establishes 
absolutes . abs.axO 

Its premises are: 
absolutes . abs.ax 

absolutes . abs.ax 
is an axiom 

algor ithm.Alg2 
is an axiom 

algorithm. CO.a 
is an axiom 


algorithm. C0_c 
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has already been justified 

sums . mean_bound 

is the conclusion of the proof 
sums .mean.bound.proof 

Proof sums. mean.bound.proof (which is PROVED) establishes 
sums . mean_bound 

Its premises are: 
sums . sum_boundl 
stuns .me an. ax 
arithmetics . div.prod 

sums . sum.boundl 

is the conclusion of the proof 
sums . sum.boundl.proof 

Proof sums . sum.boundl.proof (which is PROVED) establishes 
sums . sum.boundl 

Its premises are: 
sums . sum.bound.mod 
arithmetics .mult. ax 

stuns . sum.bound.mod 

is the conclusion of the proof 
sums . siun.bound.mod.proof 

Proof sums . sum_bound.mod.proof (which is PROVED) establishes 
Bums . sum.bound.mod 

Its premises are: 
sums . sum.ax 
sums . sigma_bound2 
natprops .pred.diff 
natprops . dif f .ax 
natprops . dif f _ax 

sums . sum.ax 
is an axiom 

sums . sigma_bound2 

is the conclusion of the proof 
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sums . sigma.bound2.proof 

Proof sums . sigma.bound2.pr oof (which is PROVED) establishes 
sums . sigma_bound2 

Its premises are: 

sigmaprops . sigma.bound 
arithmetics .mult _ax 

sigmaprops . sigma.bound 

is the conclusion of the proof 
sigmaprops . sigma.bound.proof 

Proof sigmaprops . sigma .bound_proof (which is PROVED) establishes 
sigmaprops . sigma.bound 

Its premises are: 
sigmaprops . sb 
sigmaprop8.bounded.ax 

sigmaprops . sb 

is the conclusion of the proof 
sigmaprops . sb.proof 

Proof sigmaprops. sb.proof (which is PROVED) establishes 
sigmaprops. sb 

Its premises are: 

nat induction . mod. induct ionl 
sigmaprops .bounded. lemma 
sigmaprops . sigma.bound.basis 
sigmaprops . sigma.bound.step 

nat induction . mod. induct ionl 

is the conclusion of the proof 
natinduct ion . mod.induct ionl.proof 

Proof nat induc- 
tion, mod.induct ionl.proof (which is PROVED) establishes 
nat induction . mod. indue t i onl 

Its premises are: 

natinduction.mod.induction.m 
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nat induct ion . mod. induct ion_m 
is the conclusion of the proof 
natinduction.mod_m_proof 

Proof nat induct ion. mod_m_proof (vhich is PROVED) establishes 
nat induction . mod. induct ion.m 

Its premises are: 

natinduct ion . induct ion.m 

nat induction . indue t ion.m 
is an axiom 

sigmaprops .bounded. lemma 

is the conclusion of the proof 
sigmaprops .bounded.proof 

Proof sigmaprops. bounded.proof (vhich is PROVED) establishes 
sigmaprops .bounded.lemma 

Its premises are: 

sigmaprops .bounded.ax 
sigmaprops . bounded.ax 
natprops .pred. lemma 
natprops .pred.ax 

sigmaprops . bounded.ax 
is an axiom 

sigmaprops . bounded.ax 

has already been justified 

natprops .pred.lemma 

is the conclusion of the proof 
natprops . pred.lemma.proof 

Proof natprops. pred.lemma.proof (which iB PROVED) establishes 
natprops . pred.lemma 

Its premises are: 
natprops . pred.ax 
natprops . natpos 


natprops . pred.ax 
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is an axiom 

natprops .natpos 
is an axiom 

natprops .pred_ ax 

has already been justified 

sigmaprops . sigma_bound_basi8 
is the conclusion of the proof 
sigmaprops . sb_basis_proof 

Proof sigmaprops. Bb_basiB_proof (vhich is PROVED) establishes 
sigmaprops . sigma_bound_basis 

Its premises are: 

sigmaprops . bounded.ax 
sigmaprops . sigma_ax 
sigmaprops . sigzna.ax 
natprops .pred^ax 

sigmaprops. bounded^ ax 

has already been justified 

sigmaprops . sigma_ax 
is an axiom 

sigmaprops . sigma.ax 

has already been justified 

natprops .pred.ax 

has already been justified 

sigmaprops . sigma_bound_step 
is the conclusion of the proof 
sigmaprops . sb_Btep_proof 

Proof sigmaprops. sb_step_proof (vhich is PROVED) establishes 
sigmaprops . sigma.bound.step 

Its premises are: 

sigmaprops . alt_sigma_bound_step 
arithmetics .mult_ax 
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sigmaprops . alt_sigma.bound_etep 
is the conclusion of the proof 
sigmaprops . alt.sb.step .proof 

Proof sigmaprops. alt.sb.step.proof (which is PROVED) establishes 
sigmaprops . alt.sigma.bound.step 

Its premises are: 

sigmaprops . bounded. ax 
sigmaprops . sigma.ax 
natprops .pred.lemma 
natprops . natpos 

sigmaprops . bounded. ax 

has already been justified 

sigmaprops . sigma.ax 
has already been justified 

natprops .pred.lemma 

has already been justified 

natprops . natpos 

has already been justified 

arithmetics. mult.ax 
is an axiom 

sigmaprops . bounded. ax 

has already been justified 

arithmetics . mult.ax 

has already been justified 

natprops .pred.dif f 

is the conclusion of the proof 
natprops .pred.dif f. proof 

Proof natprops. pred.dif f. proof (which is PROVED) establishes 
natprops. pred.dif f 

Its premises are: 
natprops .pred. ax 
natprops .diff. ax 
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natprops . dif f .ax 

natprops . pred.ax 

has already been justified 

natprops . dif f .ax 
is an axiom 

natprops . dif f .ax 

has already been justified 

natprops . dif f . ax 

has already been justified 

natprops . dif f . ax 

has already been justified 

arithmetics . mult.ax 

has already been justified 

sums .mean.ax 
is an axiom 

arithmetics . div.prod 

is the conclusion of the proof 
arithmetics . div.prod.proof 

Proof arithmetics. div.prod.proof (which is PROVED) establishes 
arithmetics. div.prod 

Its premises are: 

arithmetics.div.mult 
arithmetics. mult.ax 

arithmetics . div.mult 

is the conclusion of the proof 
arithmetics . div.mult .proof 

Proof arithmetics. div.mult.proof (which is PROVED) establishes 
arithmetics . div.mult 

Its premises are: 
arithmetics . div.mon 
arithmetics . cancellation.mult 
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arithmetics. div.mon 

is the conclusion of the proof 
arithmetics . div_mon_proof 

Proof arithmetics. div.mon.proof (which is PROVED) establishes 
arithmetics . div.mon 

Its premises are: 

arithmetics. mult.mon 
arithmetics . quotient .mult 
arithmetics .quotient.mult 
arithmetics.quotient.ax2 

arithmetics. mult .mon 
is an axiom 

arithmetics . quotient .mult 

is the conclusion of the proof 
arithmetics . quotient.mult.proof 

Proof arithmetics. quotient.mult.proof (which is PROVED) establishes 
arithmetics .quotient .mult 

Its premises are: 

arithmetics. quotient.ax 
arithmetics . mult.ax 

arithmetics . quotient.ax 
is an axiom 

arithmetics . mult.ax 

has already been justified 

arithmetics .quotient .mult 
has already been justified 

arithmetics. quotient_ax2 
is an axiom 

arithmetics . cancellation.mult 
is the conclusion of the proof 

arithmetics . cancellation.mult.proof 
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Proof arith- 
metic s.cancellation.mult .proof (which is PROVED) establishes 
arithmetics . cancellation_mult 

Its premises are: 

arithmetics . cancellation 
arithmetics .mult.ax 

arithmetics . cancellation 

is the conclusion of the proof 
arithmetics . cancellation_proof 

Proof arithmetics. cancellation.proof (which is PROVED) establishes 
arithmetics . cancellation 

Its premises are: 

ar ithmet ic s . di v_t ime s 
arithmetics . quotient.axl 

arithmetics . div.t imes 

is the conclusion of the proof 
arithmetics . div.t imes.proof 

Proof arithmetics .div.times.proof (which is PROVED) establishes 
arithmetics . div.times 

Its premises are: 

arithmetics . quotient.ax 
arithmetics . quotient .ax 

arithmetics . quotient. ax 
has already been justified 

arithmetics . quotient. ax 
has already been justified 

arithmetics . quotient. axl 
is an axiom 

arithmetics . mult.ax 

has already been justified 

arithmetics .mult.ax 

has already been justified 
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sums . abs.mean 

is the conclusion of the proof 
sums . abs.mean.proof 

Proof sums . abs.mean.proof (which is PROVED) establishes 
sums .abs.mean 

Its premises are: 
sums.mean.ax 
sums.mean.ax 
sums . abs_sum 
arithmetics . abs.div2 
arithmetics . div_mon2 
absolutes . abs.axO 

sums . mean. ax 

has already been justified 
sums .mean.ax 

has already been justified 
sums . abs_sum 

is the conclusion of the proof 
sums . abs.sum.proof 

Proof sums . abs_ sum_pr oof (which is PROVED) establishes 
sums . abs_sum 

Its premises are: 
sums . sum.ax 
sums . sum.ax 
sigmaprops . sigma.abs 
absolutes . abs.axO 

sumB . sum.ax 

has already been justified 
sums . sum.ax 

has already been justified 

sigmaprops . sigma. abs 

is the conclusion of the proof 
sigmaprops . sa.proof 
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Proof sigmaprops . sa_proof (which is PROVED) establishes 
sigmaprops . sigma.abs 

Its premises are: 
nat induct ion. induction 
sigmaprops . sigma_ abs.basis 
sigmaprops . sigma_abs_step 

nat induct ion. induction 

is the conclusion of the proof 
nat induction . induction_proof 

Proof nat induction. induct ion.pro of (which is PROVED) establishes 
nat induct ion. induction 

Its premises are: 
nat induct ion. induct ion_m 
natprops .natpos 

nat induction. induct ion_m 
has already been justified 

natprops . natpos 

has already been justified 

sigmaprops . sigma.abs.basis 

is the conclusion of the proof 
sigmaprops . sa_basis_proof 

Proof sigmaprops . Ba_baBis_proof (which is PROVED) establishes 
sigmaprops . sigma_abs_basis 

Its premises are: 
sigmaprops . sigma_ax 
sigmaprops . sigma_ax 
absolutes . abs.axO 

sigmaprops . sigma.ax 

has already been justified 

sigmaprops . sigma.ax 

has already been justified 
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absolutes . abs.axO 

has already been justified 

sigmaprops . eigma.abs.step 

is the conclusion of the proof 
sigmaprops . sa.step.proof 

Proof sigmaprops . sa.step.proof (which is PROVED) establishes 
sigmaprops . sigma.abs.step 

Its premises are: 
sigmaprops . sigma.ax 
sigmaprops . sigma.ax 
absolutes . abs_ax2 
natprops .natpos 
natprops .pred.lemma 

sigmaprops . sigma.ax 

has already been justified 

sigmapropB . sigma.ax 

has already been justified 

absolutes . abs.ax2 

is the conclusion of the proof 
absolutes . abs.proof 2 

Proof absolutes. abs.proof 2 (which is PROVED) establishes 
absolutes . abs_ax2 

Its premises are: 
absolutes . abs„ax 
absolutes . abs.ax 
absolutes . abs.ax 

absolutes . abs.ax 

has already been justified 

absolutes . abs.ax 

has already been justified 

absolutes . abs.ax 

has already been justified 
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natprops .natpos 

has already been justified 

natprops .pred.lemma 

has already been justified 

absolutes . abs_axO 

has already been justified 

arithmetics . abs_div2 

is the conclusion of the proof 
arithmetics . abs_div2_proof 

Proof arithmetics . abs_div2_proof (which is PROVED) establishes 
arithmetics . abs_div2 

Its premises are: 
absolutes . abs_div 
absolutes .pos_abs 

absolutes . abs_div 
is an axiom 

absolutes .pos.abs 

is the conclusion of the proof 
absolutes . pos_abs_proof 

Proof absolutes. pos_abs_proof (which is PROVED) establishes 
absolutes. pos.abs 

Its premises are: 
absolutes . abs_ax 

absolutes . abs_ax 

has already been justified 

arithmetics . div_mon2 

is the conclusion of the proof 
arithmetics . div_mon2_proof 

Proof arithmetics. div_mon2_proof (which is PROVED) establishes 
arithmetics . div_mon2 


Its premises are: 
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arithmetics . div_mon 

arithmetics . div_mon 

has already been justified 

absolutes . abs_axO 

has already been justified 

algorithm. C3 
is an axiom 

The proof chain is complete 

The axioms and assumptions at the base are: 
absolutes . abs.ax 
absolutes . abs.div 
algorithm. Algl 
algorithm.Alg2 
algorithm. Alg3 
algorithm. C0_a 
algorithm. CO_c 
algorithm. C3 
algorithm. S2_ax 
arithmetics .mult_ax 
arithmetics .mult _mon 
arithmetics. quotient_ax 
arithmetics . quotient_axl 
arithmetics . quotient_ax2 
nat induct ion. induct ion_m 
natprops . dif f _ax 
natprops . natpos 
natprops .pred.ax 
sigmaprops . bounded_ax 
sigmaprops . sigma.ax 
sums .xnean_ax 
sums . sum_ax 


C.2 Clock Synchronization Condition SI 

An extract from the proof chain for Theorem.l in the specification is given 
below. The full proof chain listing contains over 3100 lines and enumerates 
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158 proofs and 48 axioms. As discussed in the text, the proof chain is 
apparently circular. The circularity is an artifact of the inductive nature of 
the proof. 

Proof chain for formula Theorem.l in module algorithm 

algorithm . Theorem.l 

is the conclusion of the proof 
main. Theorem.l .pro of 

Proof main.Theorem.l.proof (which is PROVED) establishes 
algorithm . Theorem. 1 

Its premises are: 
main. basis 
main.ind.step 
nat induction . mod. induct ion 
clockprops . SlA.lemma 


********* approximately 3000 lines omitted ********* 


The proof chain is complete 

The axioms and assumptions at the base are: 
absolutes . abs.ax 
absolutes . abs.div 
algorithm. AO 
algor ithm.A2 
algorithm . A2.aux 
algorithm. Algl 
algorithm. Alg2 
algorithm . Alg3 
algorithm. CO.a 
algorithm. CO.b 
algorithm . CO.c 
algorithm . C2 
algorithm. C3 
algorithm. C4 
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algorithm. C5 

algorithm. C6 

algorithm . SlAdef 

algorithm . SICdef 

algorithm. S2_ax 

arithmetics . half _ax 

arithmetics. multi 

arithmetics .mult_ax 

arithmetics . mult _mon 

arithmetics . quotient_ax 

arithmetics . quotient_axl 

arithmetic s . quot ient _ax2 

clocks. A1 

clocks. clockdef 

clocks. gc_ax 

clocks. rho.pos 

clocks . zero_correction 

f unctionprops . extensionality 

nat induct ion. induction2 

natinduction . inductions 

natprops . dif f _ax 

natprops . natpos 

natprops .pred.ax 

sigmaprops . bounded.ax 

sigmaprops . revsigma_ax 

sigmaprops . sigma.ax 

sums .mean „ ax 

sums . sum_ax 

time .Cl 

time .Rdef 

time . Sdef 

time .T_sup_ax 

time .posR 

time.posS 

The proof chain is circular. The directly circluar formulas are: 


algorithm . Theorem_l 
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This appendix reproduces our specifications and proofs for the Interactive 
Convergence Clock Synchronization Algorithm exactly as processed by the 
EHDM system. 
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Module 

Page 

Absolutes 

164 

Algorithm 

191 

Arithmetics 

166 

Clockprops 

194 

Clocks 

189 

Functionprops 

172 

Juggle 

212 

Lemmal 

197 

Lemma2 

198 

Lemma3 

200 

Lemma4 

201 

Lemma5 

203 

Lemma6 

205 

Main 

217 

Natinduction 

173 

Natprops 

170 

Sigmaprops 

180 

Summations 

207 

Sums 

175 

Time 

187 


Table D.l: Page References to raw EHDM Specification Modules 
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absolutes : MODULE 
EXPORTING abs 
THEORY 

a, b, vr, x, y. z: VAR number 
abs: function [number -> number] 

abs_ax : AXIOM abs (a) = IF a < 0 THEN -a ELSE a END IF 

abs.tlmes: AXIOM abs(a*b) = abs (a) * abs(b) 

abs.div: AXIOM b /= 0 IMPLIES abs (a / b) « abs (a) / abs(b) 

abs_axO : LEMMA 0 «= abs(O) 

abs_axl : LEMMA 0 <- abs (x) 

abs_ax2: LEMMA abs(x + y) <* abs(x) + abs(y) 

abs_ax2b: LEMMA abs(x + y + z) <* abs(x) + abs(y) + abs(z) 

abs_ax2c: LEMMA 

abs(w + x + y + z) <* abs (nr) ♦ abs(x) + abs(y) + abs(z) 
abs_ax3: LEMMA abs(-x) ■ abs(x) 
abs_ax4 : LEMMA abs (x - y) * abs (y - x) 
abs_ax6: LEMMA 

0 <= x AND x <* z AND 0 <= y AND y <« z IMPLIES abs(x - y) <* z 
abs_ax6: LEMMA abs(x) <= y IMPLIES -y <= x AND x <* y 
abs_ax7: LEMMA abs(x) ■ abs (abs (x) ) 
abs_ax8: LEMMA abs(x - y) <*= abs(x) + abs(y) 
pos_abs : LEMMA 0 <= x IMPLIES abs(x) * x 


PROOF 
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I 

abs_pro<rfO: PROVE abs_axO FROM abs.ax {a <- 0} 

abs_proof 1 : PROVE abs_axl FROM abs_ax {a <- x} 

I 

abs_proof2: PROVE abs_ax2 FROM 

abs_ax {a <- x + y}, abs.ax {a <- x}, abs.ax {a <- y} 

abs_proof2b: PROVE abs.ax2b FROM 

abs_ax2 {y <- y + z}, abs_ax2 {x <- y, y <- z} 

abs_proof2c: PROVE abs_ax2c FROM 

abs_ax2 {x <- w, y <- x + y + z}, abs_ax2b 

abs_proof3: PROVE abs_ax3 FROM abs.ax {a <- x}, abs.ax {a <- -x} 

abs.proof4: PROVE abs_ax4 FROM 

abs.ax {a <- x - y}, abs.ax {a <- y - x} 

abs.proofB: PROVE abs.axB FROM abs.ax {a <- x - y} 

abs_prool6: PROVE abs.axG FROM abs.ax {a <- x} 

abs_proof7: PROVE abs.ax7 FROM abs.axl , abs.ax {a <- aba(x)} 

abs_proof8: PROVE abs.ax8 FROM 

abs.ax {a <- x - y} f abs_ax {a <- x}, abs_ax {a <- y} 

pos.abs.proof : PROVE pos.abs FROM abs_ax {a <- x} 

END absolutes 


l 


t 

i 

! 
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arithmetics : NODULE 
USING absolutes 

EXPORTING mult, half WITH absolutes 
THEORY 

a, b, c, u, v, w, x, y, z: VAR number 
mult: function [number , number -> number] 
half: function [number -> number] 

(* — *> 

quotient_ax: AXIOM y /■= 0 IMPLIES x/y-x* (1/y) 
quotlent_axl : AXIOM x /«= 0 IMPLIES x / x * 1 
quotient _ax2: AXIOM z > 0 IMPLIES i / z > 0 

(* — *) 

div_times: LEMMA y /= 0 IMPLIES (x / y) * z - (x * z) / y 
dlT_distr : LEMMA z /= 0 IMPLIES x/z + y/ z«(x + y)/z 
abs_div2: LEMMA y > 0 IMPLIES abs(x / y) « abs(x) / y 
dlv_mon: LEMMA x < y AND z > 0 IMPLIES x / z < y / z 
di v_mon2 : LEMMA x <*= y AND z > 0 IMPLIES x / z <= y / z 
diT_prod: LEMMA y>0ANDa<x*y IMPLIES a / y < x 
dir_prod2 : LEMMA y > 0 AND a <- x * y IMPLIES a / y <= x 
cancellation: LEMMA y /= 0 IMPLIES (y * x) / y « x 

C* *) 

mult_ax: AXIOM mult(x, y) c x * y 

multi: AXIOM x >= 0 AND y >= 0 IMPLIES mult(x, y) >= 0 
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ault.mon: AXIOM x < y AND z > 0 IMPLIES mult(x, z) < mult(y, z) 

(* - - *) 

mult_mon2: LEMMA x <= y AND z > 0 IMPLIES mult(x, z) <= mult(y, z) 

cancellation.mult : LEMMA y /« 0 IMPLIES mult(x, y) / y ■ x 

multO: LEMMA y - 0 IMPLIES mult(x, y) ■= 0 

mult.div: LEMMA y /= 0 IMPLIES mult(x / y, y) = x 

(* — — - *) 

half.ax: AXIOM half (x) - x / 2 

(* — *) 

times. half : LEMMA 2 * half(x) « x 

half 2: LEMMA half (x) + half (x) - x 

half 3: LEMMA 2 * mult (half (x) , y) * mult(x, y) 

mult2: LEMMA 2 * (mult(x, y)) * mult ((2 * x) , y) 

mult3: LEMMA mult(x, y + z) * mult(x, y) + mult(x, z) 

mult 4 : LEMMA 0 <= x AND y <« z IMPLIES mult(x, y) <« mult(x, z) 

rearrange: LEMMA 
abs(x - y) 

<■ aba(x - (u + ▼)) + abs(y - (w + z)) + abs(u + v - (w + z)) 
rearrange.alt : LEMMA 

abs(x - y) <* abs(x - (u + v)) + aba(u - w) + abs(y - (w + ▼)) 
PROOF 

div.times.proof : PROVE div.times FROM 
quotient.ax, quotient .ax {x <- x * z} 

div.distr.proof : PROVE div.distr FROM 
quotient.ax {y <- z}, 
quotient.ax {x <- y f y <- z}, 
quotient .ax {x <- x + y. y <- z} 


I 
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abs_div2_proof : PROVE aba_div2 FROM 

abs.div {a <- x. b <- y}, pos_abB {x <- y} 

quotient _mult : LEMMA y /* 0 IMPLIES x / y * multfx. 1 / y) 

quotient_mult_proof : PROVE quotient _mult FROM 
quotient_ax, mult_ax {y <- 1 / y} 

div_mon_proof : PROVE div_mon FROM 
mult_mon {z <- 1 / z}, 
quotient_mult {y <- z}, 

quotientjault {x <- y, y <- z}, 

quotient_ax2 

diY_mon2_proof : PROVE div_mon2 FROM div.mon 

div_mult : LEMMA y > 0 AND a < nult(x, y) IMPLIES a / y < x 

div_mult_proof : PROVE diY_mult FROM 
diY_non {z <- y, x <- a, y <- mult(x, y)}, cancellationjnult 

div_mult2 : LEMMA y > 0 AND a <= mult(x f y) IMPLIES a / y <* x 

div_ault2_proof : PROVE diY_mult2 FROM 

diY_mon {z <- y, x <- a, y <- »ult(x, y)}, cancellationjnult 

diY_prod_proof : PROVE div_prod FROM div_jnult , ntult_ax 

div_prod2„proof : PROVE div_prod2 FROM div_mult2, mult_ax 

cancellation_proof : PROVE cancellation FROM 
div_times {x <- y, z <- x}, quotient.axl {x <- y} 

amlt_mon2_proof : PROVE mult_mon2 FROM mult_mon 

cancellation_mult_proof : PROVE cancellationjnult FROM 
cancellation, nult_ax 

nultO_proof : PROVE multO FROM nult_ax {y <- 0} 

ault_div_prooi : PROVE ault_div FROM 

mult.ax {x <“ x / y} , divjtiaes {z <- y} f cancellation 

tiaesjialf .proof : PROVE times_half FROM 

hall _ax , div_times {y <- 2, z <- 2}, cancellation {y <- 2} 
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half 2_proof : PROVE half 2 FROM tines Jialf 

half 3_proof : PROVE half 3 FROM mult2 {x <- half (x)}, tines Jialf 

nult2_proof: PROVE mult2 FROM nult.ax, nult.ax {x <- 2 * x} 

nult3_proof : PROVE nult3 FROM 

mult.ax, mult_ax {y <- z}, mult.ax {y <- y + z} 

nult4_proof: PROVE nult4 FROM nult3 {z <- z - y}, nultl {y <- z - y} 

rearrange 1 : LEMMA 

x - y ■ (x - (u + ▼)) + (vr + z - y) + (u + v - (w + z)) 
re arrange 1 .proof : PROVE rearrangel 
rearrange2: LEMMA 

abs((x - (u + v)) + (w + z - y) + (u + v - (w + z) ) ) 

<= abs(x - (u + v)) + abs(y - (w + z)) + abs(u + v - (w + z)) 

rearrange2_j>roof : PROVE rearrange2 FROM 

abs_ax2b {x <- x - (u + v) , y <- u ♦ v - (v + z), z <- w + z - y}, 
abs_ax3 {x <- w + z - y} 

rearrange.proof : PROVE rearrange FROM rearrangel, rearrange2 
rearrange. alt^proof : PROVE rearrange.alt FROM rearrange {z <- v} 


END arithmetics 
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natprops: MODULE 
EXPORTING pred, diff 
THEORY 

i, o, n: VAR nat 

pred: function [nat -> nat] 

natpos : AXIOM n >= 0 

pred.ax: AXIOM n /= 0 IMPLIES pred(n) = n - 1 

dif f : function [nat , nat -> nat] 

diff.ax: AXIOM n >= m IMPLIES diff (n. n) - n - m 

pred.lemma: LEMMA pred(n + 1) - n 

diff .zero: LEMMA n > n IMPLIES diff(n, b) > 0 

pred.diff: LEMMA n > m IMPLIES pred (diff (n, m)) « diff (n, b + 1) 

diff 1 : LEMMA n >= n IMPLIES diff(n + 1, #+ 1) « diff (n, b) 

diff. diff: LEMMA 

n >= b AND n >= i AND m >= i 

IMPLIES diff (diff (n, i) , diff(n. i)) - diff(n, b) 

dif f .plus : LEMMA n >= m IMPLIES b + diff(n, m) * n 

diff.ineq: LEMMA 

n >== n AND n >* i AND m >= i IMPLIES diff (n, i) >= diff (b. i) 
PROOF 

pred_lemma_proof : PROVE pred.lemma FROM pred.ax {n <- n + l}, natpos 

diff.zero.proof : PROVE dif f _ zero FROM diff .ax 

pred.diff .proof : PROVE pred.diff FROM 

pred.ax {n <- diff(n, m)}, diff.ax, diff.ax {m <- b + 1} 

diff l.proof : PROVE diffl FROM 


Natprops 


171 


diff.ax, diff.ax {n <- n + 1, b <- b + 1} 

diff .diff .proof : PROVE dif f _dif f FROM 
diff.ax, 

diff.ax {b <- l}. 

diff.ax {n <- b. b <- i}. 

diff.ax {n <- diff (n. i) , m <- diff (b. i)} 

dif f _plu8_proof : PROVE dif f .plus FROM diff.ax 

dif f .ineq.proof : PROVE dif f _ineq FROM 

diff.ax {m <- i} . diff.ax {n <- b. b <- i} 

END natprops 
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functionprops : MODULE 
THEORY 

F ( G: VAR function [nat -> number] 
x: VAR nat 

extensionality : AXIOM (FORALL x : F(x) = G(x)) IMPLIES F = G 


END functionprops 
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nat induct ion: MODULE 
USING natprops 
THEORY 

i, 10, il. 12, 13, j, m, n: VAR nat 
prop, A, B: VAR function [nat -> bool] 
prop2: VAR function [nat , nat -> bool] 
indue tion.ni: AXIOM 

(prop(m) AND (FORALL 1 : i >» m AND prop(i) IMPLIES prop(l + 1))) 
IMPLIES (FORALL n : n >= a IMPLIES prop(n)) 

induction2: AXIOM 

(FORALL 10 : prop2(10, 0)) 

AND (FORALL j : 

(FORALL 11 : prop2(il, J)) 

IMPLIES (FORALL 12 : prop2(12, J + 1))) 

IMPLIES (FORALL 13, n : prop2(13, n)) 

mo d_ indue tion_m : LEMMA 

(FORALL j : J >= m AND A(J + 1) IMPLIES A(J)) 

AND ((A(m) IMPLIES B(m)) 

AND (FORALL 1 : 

1 >= m AND A(i + 1) AND B(i) IMPLIES B(i + 1))) 
IMPLIES (FORALL n : n >= m AND A(n) IMPLIES B(n)) 

induction: LEMMA 

(prop(O) AND (FORALL 1 : prop(i) IMPLIES prop(i + 1))) 

IMPLIES (FORALL n : prop(n)) 

mod_inductlon : LEMMA 

(FORALL J : A(j + 1) IMPLIES A(J)) 

AND ( (A(0) IMPLIES B(0)) 

AND (FORALL 1 : A(i + 1) AND B(i) IMPLIES B(i + 1))) 
IMPLIES (FORALL n : A(n) IMPLIES B(n)) 

induct ionl : LEMMA 

(prop ( 1 ) AND (FORALL i : i >= 1 AND prop(l) IMPLIES prop(l + 1))) 
IMPLIES (FORALL n : n >= 1 IMPLIES prop(n)) 


mod_inductionl : LEMMA 


174 


Appendix D. Plain EHDM Specification Listings 


(FORALL j : j >= 1 AND A(j + 1) IMPLIES A(j)) 

AND ((A(l) IMPLIES B(l)) 

AND (FORALL i : 

i >- 1 AND A(i + 1) AND B(i) IMPLIES B(i + 1))) 

IMPLIES (FORALL n : n >= 1 AND A(n) IMPLIES B(n)) 

PROOF 

mod_m_prooX : PROVE aod_inductions {i <- iCpl, j <- i} FROM 
inductions {prop <- (LAMBDA i -> bool : A(i) IMPLIES B(i))} 

induction^proof : PROVE induction {i <- iCpl} FROM 
inductions {m <- 0}, natpos 

mod_induction_proof : PROVE aod_induction {i <- iCpl , j <- jCpl} FROM 
aod_inductions {a <- 0}, natpos 

induct i on l_pro of : PROVE inductionl (i <- iCpl} FROM 
inductions {a <- 1} 

aod_inductionl_proof : PROVE aod_inductionl {i <- iCpl, j <- jCpl} FROM 
aod.inductions {a <- 1} 


END natinduction 
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sums: MODULE 

USING arithmetics, natprops, sigmaprops 

EXPORTING sum, mean 

THEORY 

i. j, k, n, pp, qq, it: VAR nat 

x, y, z: VAR number 

F, G: VAR function [nat -> number] 

sum: function [nat , nat, function [nat -> number] -> number] 

mean: function [nat , nat, function [nat -> number] -> number] 

sum_ax: AXIOM 
sum(i, j, F) 

= IF i <= j + 1 THEN sigma(i, diff(j + 1, i), F) ELSE 0 END IF 

mean_ax: AXIOM 
mean(i, j, F) 

6 IF i < s ] THEN sum(i , j. F) / (j + 1 - i) ELSE 0 END IF 

me an_ lemma : LEMMA 
mean(i, j, F) 

■= IF i <= j 

THEN Bigma(i, diff(j + 1 , i) , F) / ( j + 1 - i) 

ELSE 0 
END IF 

split_Bum: LEMMA 

i <= j + 1 AND i <= k + 1 AND k <= j 

IMPLIES sum(i, j , F) ■ sum(i, k, F) + sum(k + 1, j, F) 

split_mean: LEMMA 

i <® j AND i <= k + 1 AND k <= j 
IMPLIES mean(i , j . F) 

* (sum(i , k, F) + Bum(k + 1, j. F)) / (j - i + 1) 

8um_bound : LEMMA 

1 <*= j ♦ 1 AND (FORALL pp : i <» pp AND pp <= J IMPLIES F(pp) < x) 
IMPLIES sum(l , J , F) <■ x * (J - i + 1) 
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mean_bound : LEMMA 

i <= J AND (FORALL pp : i <- pp AND pp <*= j IMPLIES F(pp) < x) 
IMPLIES meand, J . F) < x 

mean_const : LEMMA 

i <= j IMPLIES x = meand, j. (LAMBDA qq -> number : x)) 
mean_nult : LEMMA 

meand. J . F) * x - mean(i, j. (LAMBDA qq -> number : F(qq) * x)) 

mean_sum : LEMMA 

mean(i, j , F) + mean(i, j. G) 

* meand, J. (LAMBDA qq -> number : F(qq) + G(qq))) 

mean_dif t : LEMMA 

meand, J. F) - nean(i, j, G) 

- mean(i. J. (LAMBDA qq -> number : F(qq) - G(qq))) 

abs_mean: LEMMA 

mbs (meand, J, F)) <■ meand, J. (LAMBDA qq -> number : mbs(F(qq)))) 
rearrange_Bum: LEMMA 

i <= j IMPLIES x + meand, J , F) - (y + mean(l. J, G)) 

■= meand, J, (LAMBDA qq -> number : x + F(qq) - (y + G(qq)))) 

PROOF 

mean_lemina_proof : PROVE me an_ lemma FROM mean_ax , Bum_ax 


split_Bum_proof : PROVE split_Bum FROM 
Bum_ax , 

Bum_ax {j <- k}, 
sum_ax {i <- k + l}» 

split.sigma {n <- dilKj + 1, i). m <- diff(k + 1, i). i <- i}. 

dilf_diff {n <- J + 1. m <- k ♦ l}. 

difi.plus {n <- k + 1, m <- i}. 

dilf_ineq {n <- J + 1 , m <- k + 1} 

split_mean_proof : PROVE split.mean FROM split.sum, mean.ax 


Bigma_bound2 : LEMMA 

n > O AND (FORALL k : 1 <= k AND k <= 1 + pred(n) IMPLIES F(k) < x) 
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IMPLIES Bigmafi, n. F) < mult(x, n) 

8igma_bound2_proof : PROVE 8igma_bound2 {k <- kCpl} FROM 
sigma.bound, mult_ax {y <- n} 

Bum_bound_nod : LEMMA 

i <* i AND (FORALL pp : i <= pp AND pp <= j IMPLIES F(pp) < x) 
IMPLIES Bum(i , j , F) < mult(x, (J + 1 - i)) 

Bum_bound_mod_proof : PROVE sum_boundjnod {pp <- Mp2} FROM 
sum. ax, 

8igma_bound2 {n <- diff(j + 1, i), i <- i}, 
pred_diff {n <- j + 1, m <- i}, 
diff_ax {n <- j + 1, m <- i}, 
dilf_ax {n <- j + 1, m <- i + 1} 

Bum_boundl : LEMMA 

1 <» j AND (FORALL pp : i <= pp AND pp <= j IMPLIES F(pp) < x) 
IMPLIES 8um(i , J , F) < x * (j - i + 1) 

Bum_boimdl_proof : PROVE Bum_boundl {pp <- ppCpl} FROM 
Bmn_bound_mod, »ult_ax {y <- ] ♦ 1 ■ i) 

sum^boundO: LEMMA 

i - J + 1 AND (FORALL pp : 1 <- pp AND pp <= j IMPLIES F(pp) < x) 
IMPLIES Bum(i, j, F) <= nult(x, (j +1 - 1)) 

8um_bound0_proof : PROVE Bum_boundO FROM 
Bum_ax {i <- j + 1} , 
diff_ax {n <- J + 1, a <• J + l}, 
sigma. ax {i <- j + 1 , n <- 0} , 
multO {y <- j + 1 - 1} 

sum_bound2 : LEMMA 

i <= j + 1 AND (FORALL pp : i <= pp AND pp <» j IMPLIES F(pp) < x) 
IMPLIES eum(i, j, F) <» mult(x, (J + 1 - i)) 

8um_bound2_proof : PROVE sum_bound2 {pp <- ppCpl} FROM 
sum_bound_mod , sum.boundO 

sum_bound_proof : PROVE sum.bound {pp <- ppCpl} FROM 
8um_boimd2 , nult.ax {y <- j +1 - i} 


aean_boimd_proof : PROVE mean.bound {pp <- ppCpl} FROM 

sum.boimdl , mean. ax, div.prod {a <- auo(i, j , F) , y <- j - i + l} 
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(* - - *) 

mean_const_proof : PROVE mean_cpnflt FROM 

mean_lemma {F <- (LAMBDA qq -> number : x)}, 

8igma_const {n <- diff(j + 1, i) , i <- i}, 
diff.ax {n <- j + 1, a <- i}, 
cancellation {y <- j + 1 - i} 


(* 

Bum_mult : LEMMA 

Bum(i, j, F) * x *= sum(i ( j, (LAMBDA qq -> number : F(qq) * x)) 

Bum_mult_proof : PROVE sum^mult FROM 
Bum_ax # 

Bum_ax {F <- (LAMBDA qq -> number : F(qq) * x)}, 
mod_Bigma_mult {i <- i, n <- diff(j + 1, i)} 

mean_mult_proof : PROVE mean_mult FROM 
mean_ax, 

mean.ax {F <- (LAMBDA qq -> number : F(qq) * x)}, 

Bum_mult , 

div_times {x <- eum(i, j, FCp3) , y <- j + 1 - i , z <- x} 


(* - — - — *) 

mean_Bum_proof : PROVE *ean_fium FROM 

mean_lemma {F <- (LAMBDA qq -> number : F(qq) + G(qq))}„ 

mean_lemma, 

mean_lemma {F <- G}, 

Bigma_Bum {n <- di*f(j + 1, i) , i <- i}» 
div_distr 

{x <- 8igma(i, diff(j + 1, i), F) , 
y <- Bigma(i, diff(j + 1. i), G) , 
z <- J + 1 - 1} 


(* — - - *> 

mean_diif _prool : PROVE mean_diff FROM 
mean_mult {F <- G, x <- -l}, 

mean_Bum {G <- (LAMBDA qq -> number : G(qq) * ~1)} 


(* — - *> 

abs.sum: LEMMA 

abs(Bum(i f j, F)) <« sum(i, J, (LAMBDA qq -> number : abs(F(qq)))) 
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abB.aum.proof : PROVE abs.sum FROM 
sum. ax, 

sum.ax {F <- (LAMBDA qq -> number : aba(F(qq)))}, 
sigma. abs {n <- diff(j + 1, i) f i <- i}, 
abs.axO 

abB_mean_proof : PROVE abs.mean FROM 
mean.ax, 

mean.ax {F <- (LAMBDA qq -> number : abs(F(qq)))} f 
abs.smn, 

abs_div2 {x <- sum(i, J, F), y <- j + 1 - i} # 
div_mon2 

{x <- abs (sum(i , j, F)). 
y <- 8um(i, j, FCp2), 

2 <- J + 1 - i}, 
abs.axO 


(* *) 

rearrange.aub : LEMMA 

i <*= j IMPLIES x + mean(i , j, F) 

* mean(i, j, (LAMBDA qq -> number : x + F(qq))) 

rearrange_8ub_proof : PROVE rearrange.eub FROM 

mean.const, mean. sum {G <- (LAMBDA qq -> number : x)} 

rearrange_Bum_proof : PROVE rearrange.sum FROM 
rearrange.aub, 

rearrange.aub {x <- y, F <- G}, 
mean.diff 

{F <- (LAMBDA pp -> number : x + FCc(pp)), 

G <- (LAMBDA pp -> number : y + Gfic(pp))} 


END sums 
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sigmaprops: MODULE 

USING arithmetics , natprops, functionprops , natlnduction 

EXPORTING sigma 

THEORY 


i, 11, 12, j, k, 1: VAR nat 
F f G: VAR Xunction[nat -> number] 
n, m, mm, nn, qq: VAR nat 
x, y: VAR number 

sigma: function [nat , nat, function [nat -> number] -> number] 

sigma_ax : AXIOM 
Bigma(i, n, F) 

- IF n - 0 
THEN 0 

ELSE F(i + pred(n)) + sigma(i, pred(n) , F) 

END IF 

sigma_const: LEMMA sigma (i, n, (LAMBDA qq -> number : x)) « n * x 
sigma.mult : LEMMA 

sigma(i, n, (LAMBDA qq -> number : x * F(qq))) * x * sigma(i, n, F) 
mod_sigma_jnult : LEMMA 

sigma(i, n, (LAMBDA qq -> number : F(qq) * x)) * sigma(i, n, F) * x 

sigma_Bum : LEMMA 

sigma(i, n, F) + sigma(i, n, G) 

* sigma(i, n, (LAMBDA qq -> number : F(qq) + G(qq))) 

split.sigma: LEMMA 

n >■ m IMPLIES sigma(i, n, F) 

= sigma(i, m, F) + sigma(i + m, diff(n, m) , F) 

Bigma.abs : LEMMA 
abs (sigma(l , n, F)) 

<*= sigma (i, n, (LAMBDA qq -> number : abs(F(qq)))) 
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sigma_bound: LEMMA 

n > 0 AND (FORALL k : i <» k AND k <- i + pred(n) IMPLIES F(k) < x) 
IMPLIES sigmad, n, F) < n * x 

bounded: function [nat, nat, function [nat -> number], number -> bool] 

bounded_ax : AXIOM 

n > 0 IMPLIES (bounded(i, n, F, x) 

■ (FORALL k : i <= k AND k <« i + pred(n) IMPLIES F(k) < x)) 

reveigma: function [nat , nat, function [nat -> number] -> number] 

revsigma_ax: AXIOM 
revsigma(i, n, F) 

- IF n - 0 THEN 0 ELSE F(i) + revsigmad + 1, pred(n), F) END IF 
aigma_rev: LEMMA Bigma(i, n, F) « revBigma(i. n, F) 

PROOF 

Bigma_const_basi8 : LEMMA sigma (i, 0, (LAMBDA qq -> number : x)) - 0 

sc„basi8_proof : PROVE 8igma_con8t_basiB FROM 

sigma_ax {n <■ 0, F <- (LAMBDA qq -> number : x)} 

Bigma„const_Btep: LEMMA 

sigma(i, n, (LAMBDA qq -> number : x)) « n * x 

IMPLIES 8igma(i, n + 1, (LAMBDA qq -> number : x)) * (n + 1) * x 

8C_step_proof : PROVE sigma_con8t_step FROM 

sigma_ax {n <- n + 1, F <- (LAMBDA qq -> number : x)}, pred.lemma 

sc_proof : PROVE sigma_const FROM 
Induction 

{prop <- (LAMBDA nn -> bool : 

sigma (i, nn, (LAMBDA qq -> number : x)) ■= nn * x)}, 
sigma_const_ basis , 

8igma_const_Btep {n <- iCpl} 

(* - *) 

Bigma_mult_baBiB : LEMMA 

Bigmad, 0, (LAMBDA qq -> number : x * F(qq))) - x * sigma(i, 0, F) 


Bm_basis_proof : PROVE Bigma_mult_basiB FROM 
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sigma_ax {n <- 0} f 

8igma_8ix {n <- 0, F <- (LAMBDA qq -> number : x * F(qq))} 


8igma_mult_Btep: LEMMA 
sigma(i. &, (LAMBDA qq 
IMPLIES sigmad, n + 
■ x * sigmad, n + 


-> number : x * F(qq))) - x * Bigma(i, n, F) 
1, (LAMBDA qq -> number : x * F(qq))) 

1. F) 


Bm_Btep_proof : PROVE sigmajnult.Btep FROM 

Bigma_ax {n <- n + 1, F <- (LAMBDA qq -> number : x * F(qq))}, 

sigma_ax {n <- n + l}, 

pred_lemma 


sm.proof : PROVE sigma_mult FROM 
induction 

{prop <- (LAMBDA nn -> bool : 

sigmad, nn, (LAMBDA qq -> number : x * F(qq))) 
= x * Bigma(i , nn, F))}, 

Bigma.mult.basis , 
sigma„mult_step {n <- iCpl} 


(* - *) 

»od_s igma_mult .proof : PROVE mod_sigma_mult FROM 
sigma_mult , 
extensionality 

{F <- (LAMBDA qq -> number : x * F(qq)), 

G <- (LAMBDA qq -> number : F(qq) * x)} 


(* - - *> 

sigma_sum_basis : LEMMA 

Bigma(i, 0. F) + sigma(i, 0, G) 

« Bigma(i, 0, (LAMBDA qq -> number : F(qq) + G(qq))) 

B8_basiB_proof : PROVE Bigma_Bum_basis FROM 

sigma_ax {n <- 0, F <- (LAMBDA qq -> number : F(qq) + G(qq))}, 

8igma_ax {n <- 0, F <- (LAMBDA qq -> number : G(qq))}, 

Bigma.ax {n <- 0} 

sigma_Bum_Btep: LEMMA 

8igma(i, n, F) + sigmad, n, G) 

= sigma(i, n, (LAMBDA qq -> number : F(qq) + G(qq))) 

IMPLIES sigmad, n ♦ 1, F) ♦ Bigmad, n + 1 , G) 

* sigma (i, n + 1, (LAMBDA qq -> number : F(qq) + G(qq))) 

B8_step_proof : PROVE sigma_sum_8tep FROM 
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Bigma.ax {n <- a ♦ 1, F <- (LAMBDA qq -> number : F(qq) + G(qq))}, 
Bigma_ax {n <- n + 1, F <- (LAMBDA qq -> number : G(qq))}, 

8igma_ax {n <- n + l}, 
pred_lemma 

BB^proof : PROVE Bigmajaum FROM 
induction 

{prop <- (LAMBDA nn -> bool : 

BigmaCi, nn, F) + sigma(i, nn, G) 

* sigma(i, nn, (LAMBDA qq -> number : F(qq) + G(qq))))}, 
Bigma_Bum_basi8 , 
sigma_Bum_8tep {n <- iflpl} 


(* - - *) 

8plit_sigma_baflis : LEMMA 

Bigma(i, n. F) * Bigma(i, 0, F) + Bigma(i, ditt(n, 0), F) 

flplit_basiB_proo* : PROVE Bplit_Bigma_basi8 FROM 

8igma_ax, sigma.ax {n <- 0}. diff_ax {m <- 0}, natpos 

8plit_8igma_8tep: LEMMA 

(n >« m IMPLIES sigma(i, n, F) 

* Bigma(i, m, F) + Bigma(i + m, diff(n, *) , F)) 

IMPLIES (n >» m + 1 

IMPLIES fligma(i, n, F) 

■ BigmaCi, m + 1 , F) + 8igma(i ♦ m + 1, diif(n, m + 1). F)) 

Bplit_Btep_proof : PROVE split_8igma w 8tep FROM 
aigma_ax {n <- m + l}, 

8igma_rev {i <- i + m + 1, n <- diff(n, m + 1)}, 

revsigma_ax {i <- i + m, n <- diff(n, m)}, 

eigma_rev (i <- i + m, n <- diff(n, m)}, 

pred_lemma {n <- m}, 

pred^diff , 

diff_zero, 

natpos {n <- m} 

Bplit_proof : PROVE split_Bigma FROM 
induction 
{n <- m, 

prop <- (LAMBDA nn -> bool : 
n >« nn 

IMPLIES BigmaCi, n, F) 

B BigmaCi , nn. F) + BigmaCi + nn. diffCn, nn) , F))}, 
Bplit_Bigma_bafliB , 

Bplit_Bigma_8tep {m <- iCpl} 
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(* - - *) 

8igma_abB_baBiB: LEMMA 
abfl(Bigma(i. 0, F)) 

<= 8igma(i, 0. (LAMBDA qq -> number : abs(F(qq)))) 

8a_basiB_proof : PROVE Bigma__ab8_basi8 FROM 
sigma_ax {n <- 0}, 

Bigma_ax {n <- 0, F <- (LAMBDA qq -> number : aba (F(qq)))} , 
abs_axO 

Bigma_abs_Btep: LEMMA 
abs(Bigma(i, n f F)) 

<*= sigma (i, n, (LAMBDA qq -> number : abs(F(qq)))) 

IMPLIES abfl(Bigma(i, n + 1, F)) 

<* sigma (i, n + 1, (LAMBDA qq -> number : abe(F(qq)))) 

sa_step_proof : PROVE sigma_abB_Btep FROM 
sigma_ax {n <- n ♦ l}, 

sigma.ax {n <- n ♦ 1 , F <- (LAMBDA qq -> number : abs(F(qq)))}, 
abs_ax2 {x <- F(i + n) , y <- sigma(i, n, F) } , 
natpos , 
pred.lemma 

Ba_proof : PROVE Bigma_abs FROM 
induction 

{prop <- (LAMBDA nn -> bool : 
abfl(sigma(i, nn, F)) 

<= Bigma(i, nn, (LAMBDA qq -> number : abs(F(qq)))))}. 
Bigma_abs_basis , 

Bigma_abB_Btep {n <- iCpl} 


(* - *) 

bounded.lemma : LEMMA 

n > 0 AND bounded (i , n + 1, F. x) IMPLIES bounded(i, n, F, x) 

bounded_proof : PROVE bounded_lemma FROM 
bounded.ax {k <- k«pl}, 
bounded_ax {n <- n + 1, k <- Wpl}, 
pred_ lemma. , 
pred_ax 


sigma_bound_baBiB : LEMMA 

bounded (i, 1, F, x) IMPLIES Bigma(i, 1 , F) < x 
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Bb_basiB_proof : PROVE Bigma_bound_ba8is FROM 
bounded_ax {n <- 1, k <- i}, 

8igma_ax {n <- 0} , 
aigma.ax {n <- l}, 
pred.ax {n <- 1} 

alt_sigma_bound_8tep: LEMMA 

n > 0 AND bounded(i. n + 1, F. x) AND aigmad, n. F) < mult(n, x) 
IMPLIES sigmad, n + i, F) < x + mult(n, x) 

alt_Bb_step_proof : PROVE alt_Bigma_bound_Btep FROM 
bounded.ax {n <- n + 1 , k <- i + n}, 

8igma„ax {n <- n + l}, 

pre dilemma, 

natpos 

Bigma_bound_step: LEMMA 

n > 0 AND boundedd. n + 1, F, x) AND sigmad, n, F) < n * x 
IMPLIES sigmad, n + 1 , F) < (n + 1) * x 

Bb_Btep_proof : PROVE Bigma.bound^step FROM 

alt_Bigma_bound_Btep. mult.ax {x <- n, y <- x} 

Bb: LEMMA n > 0 AND boundedd, n, F, x) IMPLIES aigmad, n, F) < n * x 

ab.proof : PROVE Bb FROM 
mod.inductionl 

{A <- (LAMBDA nn -> bool : bounded(i f nn, F, x)), 

B <- (LAMBDA nun -> bool : sigmad, mm, F) < mm * x)}, 
bounded_lemma (n <- j©pl} ( 

Bigma.boimd.basis , 

Bigma.bound.step {n <- i©pl} 

aigma.bound.proof : PROVE aigna.bound {k <- kCp2} FROM eb, bounded. ax 

<* - *) 

Bigmal: LEMMA sigmad, b M, F) ■ F(i) + aigmad + 1, n, F) 

aigmal.basis: LEMMA Bigma(i, 1 . F) « F(i) + Bigma(i + 1. 0, F) 

alb.proof : PROVE sigmal.basis FROM 
sigma.ax {n <- 0} , 
sigma, ax {i <■ i + 1, n <- 0}, 
sigma. ax {n <- l}, 
pred.ax {n <- 1} 



186 


Appendix D. Plain EHDM SpeciGcation Listings 


8lgmal_8tep: LEMMA 

sigmaCi. n + 1, F) * F(i) + Bigma(i + 1, n, F) 

IMPLIES sigmaCi, n + 2, F) « F(i) + Bigma(i + 1, n + 1. F) 

sls.proof : PROVE Bigmal_Btep FROM 
Bigma_ax {i <- i + 1, n <- n + l} ( 

8igma_ax {n <- n + 2}, 
pred_lemma, 

pred_lemma {n <- n + l} f 
natpos 

Bigmal.proof : PROVE Bigmal FROM 
Induction 

{prop <- (LAMBDA nn -> bool : 

8igma(i, nn + 1, F) « F(i) + sigma(i + 1. nn, F))}, 
Bigmal ..basis, 

Bigmai_step {n <- iCpl} 


(* *) 

Bigma_rev_baBiB: LEMMA 8igma(i, 0. F) * revsigmad. 0, F) 

arb_proof : PROVE Bigma_rev_baBiB FROM 
Bigma_ax {n <- 0}, revsigma_ax {n <- 0} 

Bigma_reY_Btep: LEMMA 

(FORALL 11 : sigmadl, n, F) ■= revsigma(il, n. F)) 

IMPLIES (FORALL 12 : Bigma(12, n + 1, F) ■ revsigma(12, n + 1, F)) 

srp_proof: PROVE Bigma_rev..step {il <- 12 + 1} FROM 
revsigma.ax {i <- 12, n <- n + l}, 

Bigmal {i <- 12}, 

pred_lemma, 

natpos 

Bigma_rev_proof : PROVE 8igma_rev FROM 
induct ion2 
{11 <- HCp3, 

13 <- 1, 

prop2 <- (LAMBDA 1, nn -> bool : 

Bigma(i, nn, F) * revsigmad, nn. F))}, 

8igmajrev_baBis {i <- iOOpl}, 

Bigma_rev_Btep {12 <- 12Cpl, n <- jCpl} 


END Bigmaprops 
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tine: MODULE 
USING arithmetics 

EXPORTING clocktime, realtime, period, R, S, T_ZER0, T_sup, in_R_interral, 
in_S_interval WITH arithmetics 

THEORY 

clocktime: TYPE IS number 
realtime: TYPE IS number 
period: TYPE IS nat 

R, S: clocktime (* Synchronizing periods *) 

posR: AXIOM 0 < R 

posS: AXIOM 0 < S 

Cl : AXIOM R >= 3 * S 

SinR: LEMMA S < R 

i : VAR period 

T_sup: lunct ion [period -> clocktime] 

T_ZERO: clocktime 

T_sup_*x: AXIOM T_sup(i) - T.ZERO + i * R 
T_next : LEMMA T_sup(i+1) - T_sup(l) + R 
T, Tl. T2, PI: VAR clocktime 

in_R_interval : function [clocktime, period -> boolean] 

Rdef : AXIOM in_R_interval(T, i) 

* (EXISTS PI : 0 <= PI AND PI <- R AND T - T_sup(i) + PI) 

Ti_in_R: LEMMA in_R_interval(T_sup(i) . i) 

in_S_interval : function [clocktime, period -> boolean] 
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Sdef : AXIOM in_S_interval(T, i) 

- (EXISTS PI : 0 <* PI AND PI <- S AND T - T_sup(i) + R - S + PI) 
inRS: LEMMA ln_S_intervaI(T , 1) IMPLIES in_R_interval(T, 1) 

Ti_in_S: LEMMA in_S_interval(T_8up(i +1), i) 
in_S_lemma: LEMMA 

in_S_interval(Tl, i) AND in_S_interval(T2, i) IMPLIES abs(Tl - T2) <= S 
PROOF 

SinR_proof : PROVE SinR FROM Cl. posS, posR 

Ti.proof : PROVE Ti.injl FROM Rdef {T <- T_Bup(i), PI <- 0}, abs.axO, posR 

inRS_proof : PROVE inRS FROM Sdef, Rdef {PI <- R - S + PICpl}, SinR 

T_next_proof : prove T_next from T_Bup_ax, T_sup_ax{i<-i+l} 

Ti_in_S„proof : PROVE Ti_in_S FROM Sdef{PI<-S, T<- 
T_sup(i+1)}, posS. T_next 

in_S_proof : PROVE in_S_lemma FROM 

Sdef {T <- Tl}, Sdef {T <- T2}, abs.axB {x <- PICpl. y <- PICp2. z <- S} 


END time 
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clocks : MODULE 
USING time 

EXPORTING proc, clock, rho, Corr, adjusted, rt, nonfaulty 
WITH time 

THEORY 

proc: TYPE IS nat 
p: VAR proc 

clock: function [proc, clocktime -> realtime] 

Corr: function [proc, period -> clocktime] 
zero_correction: AXIOM Corr(p, 0) * 0 
i: VAR period 

T, TO, Tl. T2 , TN: VAR clocktime 

adjusted: function [proc, period, clocktime -> clocktime] * 
(LAMBDA p, i, T -> clocktime : T + Corr(p, i)) 

rt : function [proc, period, clocktime -> realtime] 

clockdef : AXIOM rt(p, i, T) - clock(p, adjusted(p, i, T)) 

goodclock: function [proc, clocktime, clocktime -> bool] 

rho: number 

rho_pos: AXIOM half (rho) >■= 0 

rho_small : AXIOM half (rho) < 1 

gc_ax : AXIOM 

goodclock(p, TO, TN) 

• (FORALL Tl, T2 : 

TO <* Tl AND TO <« T2 AND Tl <= TN AND T2 <» TN 

IMPLIES abs (clock(p, Tl) - clock(p, T2) - (Tl - T2)) 
< mult (half (rho) , abs(Tl - T2))) 
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monotonicity: THEOREM 
goodclock(p, TO, TN) 

AND TO <« T1 AND TO <» T2 AND T1 <« TN AND T2 <= TN 
IMPLIES (T1 > T2 IMPLIES clock (p, Tl) > clock(p. T2)) 

nonfaulty: function [proc, period -> boolean] 

A1 : AXIOM nonfaultyCp, i) 

* goodclock(p, 

adju8ted(p, 0, T_sup(0)), 
adjusted(p, i. T_sup(i + 1))) 


PROOF 

x, y: VAR number 

diminish: LEMMA x > 0 IMPLIES mult (half (rho) , x) <= x 

i 

dimini sh_pro of : PROVE diminish FROM 

®ult_mon {x <- half (rho), y <- 1, z <- x}, 
rho_small , 

mult_ax {x <- 1, y <- x} 

monoproof: PROVE monotonicity FROM 
gc_ax, 

diminish {x <- abs(Tl - T2)}, 

abs_ax {a <- clock(p, Tl) - clock(p, T2) - (Tl - T2)}, 
abs_ax {a <- Tl - T2} 


END clocks 
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algorithm: MODULE 
USING clocks, sums 

EXPORTING Sigma. Delta, Deltal . Delta2, D2bar. skew. S1A, SIC, S2, 
delta, eps, deltaO, n, m WITH clocks 

THEORY 

T. TO, Tl, X, PI: VAR clocktime 
i : VAR period 
p. q, r: VAR proc 

Deltal: function [proc , period -> clocktime] 

Delta2, D2bar: function [proc , proc, period -> clocktime] 
m, n: proc 

eps, deltaO, delta: realtime 

Sigma, Delta: clocktime 

CO_a: AXIOM n > 0 

CO_b : AXIOM 0 <= m AND m < n 

C0_c : AXIOM Delta > 0 

C2: AXIOM S >= Sigma 

C3: AXIOM Sigma >= Delta 

C4 : AXIOM Delta >= delta + eps + mult (half (rho) . S) 

C5: AXIOM delta >= deltaO + rho * R 
C6 : AXIOM delta 

>= 2 * (eps + rho * S) + 2 * m * Delta / (n - m) 

+ n * rho * R / (n - m) 

+ rho * Delta 

+ n * rho * Sigma / (n - m) 


I 
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C2and3: LEMMA Delta <* S 

Algl: AXIOM Corr(p, 1 + 1) » Corr(p, 1) + Deltal(p. 1) 

Alg2 : AXIOM 

DeltaKp, 1) « mean(l, n, (LAMBDA r -> number : D2bar(r f p, i))) 

Alg3: AXIOM 
D2bar(r, p, 1) 

■ IF r /■ p AND abs(Delta2(r, p, 1)) < Delta 
THEN Delta2(r , p. i) 

ELSE 0 
END IF 

clock_prop: LEMMA rt(p, i + 1, T) ■ rt(p, i, T + Deltal(p, D) 

D2bar_prop: LEMMA abs(D2bar(p, q» i)) < Delta 

skew: function [proc. proc, clocktime, period -> clocktime] = 

(LAMBDA p, q. T, i -> clocktime : abs(rt(p, i, T) - rt(q, i, T))) 

S1A: function [period -> bool] 

SlAdef : AXIOM 
SlA(i) 

“ (FORALL r : (m + 1 o= r AND r <* n) IMPLIES nonfaulty(r. i)) 

SIC: function [proc, proc, period -> bool] 

SICdef : AXIOM 
SlC(p, q, i) 

* (nonfaulty(p, i) AND nonfaulty(q, i) AND in_R_interval(T, i) 
IMPLIES skew(p, q, T, i) <= delta) 

SIC.lemma: LEMMA SlC(p, q, i) IMPLIES SlC(q, p, i) 

S2: function [proc, period -> bool] 

S2_ax: AXIOM S2(p, i) * (abs(Corr(p, i + 1) - Corr(p, i)) < Sigma) 

AO: AXIOM skew(p, q, T_sup(0), 0) < deltaO 

A2: AXIOM nonfaulty(p, 1) 

AND nonf aulty(q, i) AND SlC(p, q, i) AND S2(p, i) 

IMPLIES abs(Delta2(q, p, i)) <** S 
AND (EXISTS TO : 

in_S_interval(TO, i) 
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AND aba (rt (p . i. TO + Delta2(q, p, i)) - rt(q, i, TO)) 
< eps) 

A2_aux : AXIOM Delta2(p, p, i) - 0 
Theorem.l: THEOREM SlA(i) IMPLIES SlC(p, q f i) 

Theorem_2 : THEOREM S 2 (p, i) 

PROOF 

C2and3_proof : PROVE C2and3 FROM C2, C3 

clock_proof : PROVE clock_prop FROM 

clockdef {T <- T + Deltal(p, i)}, clockdef {i <- i + l}, Algl 

D2bar_prop_proof : PROVE D2bar_prop FROM 
Alg3 {r <■ p, p <■ q}, CO_c, aba.axO 

SlC_lemma_proot : PROVE SlC_lemma FROM 
SICdef . 

SICdef {p <- q f q <- p}, 

aba_ax4 {x <- rt(q, i, TCpl) , y <- rt(p, i, TCpl)} 

Theorem_2_proof : PROVE Theorem_2 FROM 
S2_ax, 

Algl, 

D2bar_prop {p <- ppCp7, q <- p}, 

Alg2, 

CO_a, 

CO_c , 

mean_bound 
{i <- 1, 
j <- n, 
x <- Delta, 

F <- (LAMBDA r -> number : abs(D2bar(r, p, i)))}, 
aba .mean 
{i <- 1. 
j <~ n, 

F <- (LAMBDA r -> number : D2bar(r, p, 1))}, 

C3 


END algorithm 
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clockprops: MODULE 

USING clocks, algorithm, nat induct ion 
THEORY 

T. TO. Tl, T2, TN. PI: VAR clocktime 
p, q: VAR proc 
i : VAR period 
upper_bound: LEMMA 

in_S_interval(T, i) AND abs(PI) <« R - S 

IMPLIES ad j usted (p, i, T + PI) o= adjusted(p, i + 1, T_sup(i + 2)) 

lower_bound: LEMMA 

0 <= PI IMPLIES adjusted(p, 0, T_sup(0)) 

<■ adjusted(p, i, T_sup(i) + PI) 

lower_bound2 : LEMMA 

in_S_interval (T , i) AND abs(PI) <= R - S 

IMPLIES adjusted(p, 0, T_sup(0)) <= adjusted(p, i, T + PI) 

adj_alvays_pos : LEMMA adjusted(p, i, T_sup(i)) >= T_ZERO 

nonfx: LEMMA nonf aulty(p, i + 1) IMPLIES nonf aulty(p, i) 

SlA_lemma: LEMMA SlA(i + 1) IMPLIES SlA(i) 

PROOF 

i2R: LEMMA T_sup(i + 2) « T_sup(i) + 2 * R 

i2R_proof : PROVE i2R FROM T_sup_ax {i <- i + 2}, T„sup_ax 

upper_bound_proof : PROVE upper_bound FROM 
Sdef , 

12R, 

abs_ax6 {x <- PI, y <- R - S}, 

S2_ax, 

Theorea_2, 

abs_ax6 {x <- Corr(p, i + 1) - Corr(p, i), y <- Sigma}, 

C2 
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basis : LEMMA adjusted(p, 0, T.sup(O)) >= T_ZER0 

basis_proof : PROVE basis FROM zero_correction, T_sup_ax {i <- 0} 

small^shift: LEMMA Corr(p, i + 1) - Corr(p, i) >= -R 

small.shil t_proof : PROVE eaiall.shif t FROM 
S2_ax, 

Theorem_2, 

abs_ax {a <- Corr(p, i + 1) - Corr(p, i)}, 

C2 , 

SinR 

inductive_step: LEMMA 

adjusted(p, i, T_sup(i)) >« T_ZERO 

IMPLIES adjusted(p, i + 1, T_sup(i + 1)) >= T_ZERO 

ind_prooT: PROVE inductive_step FROM small_shift, T_next 

adj_pos_proof : PROVE adj_always_pos FROM 
induction 
{n <- i, 

prop <- (LAMBDA i -> bool : adjusted (p, i, T_sup(i)) >= T_ZERO)} t 
basis . 

induct ive_step {i <- iCpl} 

lovrer_bound_proof : PROVE lower_bound FROM 

adj_always_pos, T_sup_ax {i <- 0}, zero_correction 

lower_bound2_proof : PROVE lover_bound2 FROM 
lower_bound {PI <- T - T_sup(i) ♦ PICc}, 

Sdef , 

abs_ax {a <- Pi}. 

SinR 

gc_prop: LEMMA 

goodclock(p, TO, TN) AND TO <«= T AND T <« TN 
IMPLIES goodclock(p, TO, T) 

gc_proof : PROVE gc_prop FROM 

gc_ax (T1 <- TlCp2, T2 <- T2Cp2}, gc_ax {TN <- T} 

bounds: LEMMA 

adjusted(p, 0. T_sup(0)) <« adjusted(p, i, T_sup(i + 1)) 

AND adjusted(p, i, T_sup(i +1)) 

<= adjusted(p, i + 1 , T_sup(i +2)) 
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bounds .proof : PROVE bounds FROM 

upper_bound {PI <- 0, T <- T_sup(i + 1)}, 
lower_bound2 (PI <- 0, T <- T_sup(i + 1)}, 
abs.axO , 

SinR. 

Ti_in_S 

nonf x^proof : PROVE nonf x FROM 
A1 {i <- i + 1}, 

Al, 

gc_prop 

{TO <- adjusted(p ( 0, T_sup(0)), 

TN <- adjusted(p, i + 1, T_sup(i +2)), 
T <~ adjusted(p, i, T_sup(i + 1))}, 
bounds 

SlA_lenuna_proof : PROVE SlA_lemma FROM 
SlAdef , 

SlAdef {i <- i + 1, r <- rCpl}, 
nonfx {p <- rCpl) 


END clockprops 
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lemmal: MODULE 

USING algorithm, lemma2 

THEORY 

p, q: VAR proc 

i : VAR period 

lemmaldef: LEMMA 
SlC(p, q, i) 

AND S2(p, i) AND nonfaulty(p, i + 1) AND nonf aulty(q, i + 1) 
IMPLIES abs(Delta2(q, p, i)) < Delta 


PROOF 

lemmal_proof : PROVE lemmaldef FROM 
A2. 

Iemma2c {PI <- Delta2(q f p, i), T <- TOCpl}, 

SICdef {T <- TOCpl}, 

abs_ax4 {x <- rt(p, i, TOCpl), y <- rt(q, i, TOCpl)}, 
abe_ax4 

{x <- rt(p, i, TOCpl + PICp2) , 
y <- rt (p, i, TOCpl) + PICp2}, 

aba_ax2b {x <- yCp6 - xCpB, y <- yCp4 - xCp4, z <- xCp6 - yCp4}, 
nonfx, 

nonfx {p <- q}, 
inRS {T <- TOCpl}, 

mult4 {x <- half(rho), y <- aba(Delta2(q, p, i)), z <- S}, 
rho_poa , 

C4 


END lemmal 
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lemma2: MODULE 

USING algorithm, clockprops 

THEORY 

p # q, r: VAR proc 

i: VAR period 

T: VAR clocktime 

PI. PHI: VAR realtime 

lemma2def : LEMMA 
nonfaultyCp, i + 1) 

AND adjustedCp, i, T) <*= adjustedCp, i + 1. T_sup(i + 2)) 

AND adjustedCp , 0, T_sup(0)) <= adjustedCp, i, T) 

AND adjustedCp, i. T + PI) 

<* adjustedCp, i + 1, T_sup(i +2)) 

AND adjustedCp, 0, T_sup(0)) <= adjustedCp, i, T + PI) 
IMPLIES absCrtCp. 1, T + PI) - (rtCp. i. T) + PI)) 

< mult (half (rho) , abs (PI)) 

lemma2a: LEMMA 

nonfaultyCp, i + 1) 

AND abs CPI + PHI) <= R - S 

AND absCPHI) <= R - S AND in_S_interval(T, i) 

IMPLIES absCrtCp, i, T + PHI + PI) - (rt(p, i. T + PHI) + PI)) 

< mult Chalf Crho) , abs (PI)) 

lemma2b: LEMMA 

nonfaultyCp, i + 1) 

AND abs (PHI) <= S AND abs (PI) <■= S AND in_S_interval(T, i) 
IMPLIES abs(rt(p, i, T + PHI + PI) - (rt(p, i, T + PHI) + PI)) 

< mult (half (rho) , abs (PI)) 

lemma2c : LEMMA 

nonfaultyCp, i + 1) AND abs (PI) <= S AND in_S_interval (T, i) 
IMPLIES abs(rt(p, i, T + PI) - (rt(p, i, T) + PI)) 

< mult (half (rho) , abs (PI)) 

lemma2d: LEMMA 

nonfaultyCp. i) AND 0 <= PI AND PI <« R 

IMPLIES abs(rt(p, i, T_sup(i) + PI) - (rt(p, i, T_sup(i)) + PI)) 
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< mult (half (rho), PI) 


PROOF 

lenma2_proof : PROVE lemma2def FROM 
A1 {i <- i + 1}, 
gc_ax 

{TO <- adjusted(p, 0, T_sup(0)), 

TN <- adjusted(p, i + 1, T_sup(i + 2))* 

T2 <- adjusted (p, i t T) . 

T1 <- adjust ed(p, i, T + PI)}, 
clockdef, 

clockdef {T <- T + PI} 

lemma2a_proof : PROVE lemma2a FROM 
lemma2def {T <- T ♦ PHI}, 
upper^bound {PI <- PHI + PI}, 
lover Jbound2 {PI <- PHI + Pi}, 
upper^bound {PI <- PHI}, 
lover_bound2 {PI <- PHI} 

lemma2b_proof : PROVE lemma2b FROM 
lemma2a, 

abs_axl {x <- PI}, 
abs_ax2 {x <- PHI. y <- Pi}, 

Cl. 

posS, 

posR 

lemma2c_proof : PROVE leamia2c FROM leaina2b {PHI <- 0}, abs_axO, posS 

lemna2d_proof : PROVE lemma2d FROM 
Al. 
gc_ax 

{TO <- adjusted(p, 0, T_sup(0)), 

TN <- adjusted(p, i, T.supCl ♦ 1)), 

T1 <- adjusted(p, i, T_sup(i) + PI), 

T2 <- adjusted (p, 1, T_sup(i))}, 
clockdef {T <- T.sup(i)}, 
clockdef {T <- T_sup(i) ♦ PI}, 
posR, 

pos_abs {x <- Pi}, 
lover_bound, 
lover_bound {PI <- 0}, 

T.next 


END lemi&a2 


200 


Appendix D. Plain EHDM Specification Listings 


lemma3: MODULE 

USING algorithm, lemma2 

THEORY 

p, q: VAR proc 
i: VAR period 

T, TO, Tl, T2 : VAR clocktime 

PI: VAR realtime 

lemma3def: LEMMA 
SlC(p, q. i) 

AND S2(p, i) 

AND nonfaulty(p, i + 1) 

AND nonfaulty(q, i ♦ 1) AND in_S_interval(T, i) 
IMPLIES abs (rt (p , i. T + Delta2(q, p. i)) - rt(q, i, T)) 
< eps + rho * S 


PROOF 

lemmaS.proof : PROVE lemma3def FROM 
A2, 

rearrange_alt 

{x <- rt(p, i, T + Delta2(q, p, i)), 
y <- rt(q, i, T). 

u <- rt(p, i, TOCpl + Delta2(q. p, i)). 

7 <- T - TOCpl. 
w <- rt(q. i, TOCpl)}, 

lemma2b {T <- TOCpl, PHI <- Delta2(q. p, i) . PI <- T - TOCpl}. 

Iemma2c {p <- q, T <- TOCpl, PI <- T - TOCpl}, 

nonfx, 

nonfx {p <- q}, 

mult4 {x <* half(rho), y <- abs(T - TOCpl), z <- S}. 
rho_pos , 

half 3 {x <- rho, y <- S}, 
mul t_ ax {x <- rho, y <- S}, 
in_S_lemma {Tl <- T, T2 <- TOCpl} 


END lemma3 
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lemma4: MODULE 

USING algorithm , lemmal , lemma2, lemma3 
THEORY 

p, q. r: VAR proc 

i : VAR period 

T: VAR clocktime 

lemma4def: LEMMA 
SiC(q. r, i) 

AND SlC(p f q ( i) 

AND SlC(p, r, i) 

AND S2(p, i) 

AND S2(q, i) 

AND S2(r # i) 

AND nonfaulty(p, 1+1) 

AND nonf aulty(q, 1 + 1) 

AND nonfaulty(r, i + 1) AND in_S_interYal(T, i) 
IMPLIES abs (rt (p , i, T) + D2ba r(r, p, i) 

- (rt (q, i, T) + D2bar(r, q, i))) 

< 2 * (eps + rho * S + mult (half (rho) , Delta)) 


PROOF 

TO, Tl. T2 : VAR clocktime 

PI : VAR realtime 

u, t, v, x, y, z: VAR number 

rearrangel : LEMMA x - y * (u - y) - (▼ - x) ♦ (▼ - w) - (u - w) 
rearrange l^pr oof : PROVE rearrangel 
rearrange2: LEMMA 

abs ( (u - y) - (v - x) + (v - w) - (u - v)) 

<“ abs (u - y) + abs(Y - x) + abs(v - v) + abs(u - w) 

rearrange2_proof : PROVE rearrange2 FROM 

abs_ax2c {w <- (u - y) . x <- (x - v) , y <- (▼ - v) f z <- (v - u)}, 
abs_ax3 {x <- (v - x)}, 
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abs_ax3 {x <- (u - w)} 
rearranges: LEMMA 

abs(x - y) <« abs(u - y) + abs(v - x) + aba(v - w) ♦ abs(u - w) 

rearrange3_proof : PROVE rearranges FROM rearranged rearranges 

eublemmal : LEMMA 
SlC(p. r, i) 

AND S2(p, i) AND nonfaulty(p, i + 1) AND nonfaulty(r, i + 1) 
IMPLIES D2bar(r, p. i) - Delta2(r, p. i) 

eublemmal _proof : PROVE eublemmal FRDM 
lemmaldef {q <- r}, AlgS, A2_aux 

lemmaSx: LEMMA 
SlC(p, r. i) 

AND S2(p. 1) 

AND nonfaulty(p. i + 1) 

AND nonf aulty (r, i + 1) AND in_S_interyal(T, i) 

IMPLIES abs (rt (p . 1, T + Deltas (r, p, i)) 

- (rt(p, 1, T) ♦ Delta2(r, p, i) ) ) 

< mult (half (rho) f Delta) 

lemma2x_proof : PROVE lemma2x FROM 
lemma2c {PI <- Deltas (r, p, i)}, 
lemmaldef {q <- r}, 

C2and3 . 

mult4 {x <- half (rho) , y <- abs(Delta2(r, p, i)), z <- Delta}, 
rho_poe 

lemma4_proof : PROVE lemma4def FROM 
rearranges 

{x <- rt(p, i, T) + D2bar(r , p, 1). 

y <- rt(q, i. T) + D2bar(r, q, 1), 

u <- rt(q, 1, T + Deltas (r, q, i)), 

y <- rt(p, i, T ♦ Delta2(r, p, 1)), 

w <- rt(r, i. T)}, 

eublemmal , 
eublemmal {p <- q}, 
lemma2x , 

lemma2x {p <- q}, 
lemmaSdef {q <- r}, 
lemma3def {p <- q, q <- r}, 

S1C_ lemma 


END lemma4 
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lenunaB : MODULE 

USING algorithm, clockprops 

THEORY 

p, q, r: VAR proc 

T: VAR clocktime 

i. j : VAR period 

lemma6def: LEMMA 
SiC(p, q. i) 

AND nonfaultyfp, i + 1) 

AND nonfaultyCq. i + 1) AND in_S_interval(T, i) 
IMPLIES abs (rt (p , i, T) + D2bar(r, p, i) 

- (rt(q, i, T) + D2bar(r, q. i))) 

< delta + 2 * Delta 


PROOF 

a, b, x, y: VAR clocktime 

rearrangel : LEMMA (a + x) - (b ♦ y) * (a - b) + x - y 
re arrange l_pr oof : PROVE rearrangel 
rearrange2: LEMMA 

abs ( (a + x) - (b + y)) <« abs(a - b) + abs(x) ♦ abs(y) 

rearrange2_proof : PROVE rearrange2 FROM 

rearrangel, abs_ax8, abs_ax2 {x <- (a - b) , y <- (x - y)} 

lemmaEproof : PROVE lemmaEdef FROM 
rearrange2 

{a <- rtCp, i. T), 
b <- rt(q, i, T), 
x <- D2bar(r, p, i) . 
y <- D2bar(r , q, i)}. 

D2bar_prop {p <- r, q <- p}. 

D2bar_prop {p <- r, q <- q}. 
inRS, 

SICdef . 
nonfx, 


I 
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nonlx {p <- q} 

END lemm&5 
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lemmad: MODULE 

USING algorithm, clockprops, lemma2 
THEORY 

p. q: VAR proc 

i : VAR period 

T, PI: VAR clocktime 

eublemmaJL LEMMA 
nonfaulty(p. i) 

AND nonfaulty(q, i) AND inJLinterral(T, i) 

IMPLIES Bkev(p, q. T. i) 

< ekew(p, q. T_Bup(i). i) + rho * R 

lemmaddef: LEMMA 
nonfaultyCp, i + 1) 

AND nonf aulty(q, i + 1) AND in_R_interval(T, i ♦ 1) 
IMPLIES Bkew(p, q. T, i + 1) 

< abs (rt (p , i, T_eup(i + 1)) + Deltal(p. i) 

- (rt (q, i. T_eup(i + 1)) + Deltal(q, i))) 

+ rho * R 
+ rho * Sigma 


PROOF 

sublemmal : LEMMA 

0 <- PI AND PI <*= R IMPLIES 2 * mult (half (rho) , PI) <- rho * R 

Bubl_proof : PROVE sublemmal FROM 
nult2 {x <- half (rho), y <- R}, 
times_half {x <- rho), 
mult4 {x <- half (rho) , y <- PI , z <- R} , 
rho^pos , 

mult_ax {x <- rho, y <- R} 

eub_A_proof : PROVE sublemma_A FROM 
Rdef , 

rearrange_alt 

{x <- rt (p, i, T), 
y <- rt (q, i, T) . 
u <- rt(p, i, T_sup(i)) , 
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Y <- PICpl ( 

¥ <- rt(q, i, T_sup(i))}, 
lemma2d {PI <- PICpl}, 
lemma2d {p <- q, PI <- PICpl}, 
aublemmal {PI <- PICpl} 

8ublenuna2 : LEMMA 

Bkew(p, q, T. i + 1) 

= abs (rt (p , i, T + Deltal(p, i)) - rt(q, i, T + Deltal(q, i))) 

flub2_proof : PROVE 8ublemma2 FROM clock_prop, clock_prop {p <- q} 

lemma6_proof : PROVE lemmaGdef FROM 
8ublemma_A{i <- i + l}, 

Bublemaa2 {T <- T_sup(i + 1)}, 
rearrange 

{x <- rt(p, i, T_sup(i + 1) + Deltal (p, i)), 

y <- rt(q, i, T_sup(i + 1) + Deltal (q, i)), 

u <- rt (p, 1, T_aup(i + 1)), 

y <- Deltal (p, 1). 

w <- rt(q, 1, T_eup(i + 1)), 

z <- Deltal (q, 1)}, 

lemma2c {T <- T_aup(i + 1), PI <- Deltal (p, i)}, 
lemma2c 

{T <- T_Bup(i + 1), 

PI <- Deltal (q, i) , 

p <- q}. 

Algl. 

Algl {p <- q}. 

S2_ax, 

S2_wt {p <- q}. 

Theorem_2. 

Theorem_2 {p <- q}, 

suit 4 {x <- half (rho) , y <- aba (Deltal (p,i)) , z <- Sigma}, 
ault4 {x <- half (rho) , y <- abB(Deltal(q,i)) , z <- Sigma}, 
rho.pos , 

Ti_in_S, 

C2, 

half 3 {x <- rho, y <- Sigma}, 
mult_ax {x <- rho, y <- Sigma} 


END lemma6 
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summations : MODULE 

USING algorithm, sums. lemm&4, lemmaS, lemma© 

THEORY 

p, q, r: VAR proc 

T: VAR clocktime 

i : VAR period 

culmination: LEMMA 

SlA(i + 1) AND SlC(p, q, i) 

IMPLIES (nonfaulty(p, i + 1) 

AND nonfaulty(q, i ♦ 1) AND inJLinterral(T, i + 1) 
IMPLIES skev(p, q, T, i + 1) 

<■ ((delta + 2 * Delta) * m 

+ 2 * (rho * S ♦ eps 

+ mult (half (rho) , Delta)) 

* (n - m)) 

/ n 

+ rho * R 
+ rho * Sigma) 

PROOF 

11: LEMMA abs(rt(p, i, T_sup(i + 1)) ♦ Deltal(p, i) 

- (rt(q, i, T_sup(i ♦ 1)) + DeltaKq, i))) 

<** sean(l, 
n. 

(LAMBDA r -> number : 

abs(rt(p, i, T_sup(i + 1)) + D2bar(r, p. i) 

- (rt (q, i. T_sup(i 1)) ♦ D2bar(r, q, i))))) 

12: LEMMA abs(rt(p, i. T_sup(i + 1)) + DeltaKp, i) 

- (rt(q, i, T_sup(i ♦ 1)) + Deltal(q, i))) 

<■ (sum(l, 

i. 

(LAMBDA r -> number : 

abs (rt (p , 1, T_sup(i + 1)) + D2bar(r, p. i) 

- (rt (q, i. T_sup(i + 1)) + D2bar(r, q, i))))) 
+ sum(m + 1, 

n. 

(LAMBDA r -> number : 
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/ n 


abs(rt Cp, 1. T_aup(i + 1)) + D2bar(r, p. i) 
- (rt(q, i, T_aup(i + 1)) 

+ D2bar(r, q, i)))))) 


13: LEMMA SlA(i + 1) 

AND SlC(p, q. 1) AND nonlaulty(p, 1+1) AND nonlaulty(q, 1+1) 
IMPLIES aum(l , 

■ . 

(LAMBDA r -> number : 

aba (rt (p , 1, T_sup(i + 1)) + D2bar(r, p, 1) 

- (rt(q, 1, T_aup(i + 1)) 

+ D2bar(r, q. 1))))) 

<*= (delta + 2 * Delta) * m 

14: LBffliA S1A(1 + 1) 

AND SlC(p, q, 1) AND nonlaulty(p, 1+1) AND nonlaulty(q, 1+1) 
IMPLIES eum(a + 1, 
n, 

(LAMBDA r -> number : 

aba (rt (p, 1, T_eup(i + 1)) + D2bar(r, p. 1) 

- (rt(q, 1. T_aup(l + 1)) 

+ D2bar(r, q, 1))))) 

<*= 2 * (rho * S + eps + mult (hall (rho) . Delta)) * (n - n) 

IB: LEMMA S1A(1 + 1) 

AND SlC(p, q, 1) AND nonfaulty(p. 1+1) AND nonlaulty(q, 1+1) 
IMPLIES aba (rt (p , 1. T_eup(i + 1)) + Deltal(p. 1) 

- (rt(q. 1, T_aup(l + 1)) + Deltal(q, 1))) 

<■ ((delta + 2 * Delta) * m 

+ 2 * (rho * S ♦ epa ♦ mult (hall (rho) , Delta)) 

* (n - m)) 

/ n 


ll_prool : PROVE 11 FROM 
Alg2. 

Alg2 {p <- q}, 
rearrange.sum 

{x <- rt(p. i, T_Bup(i ♦ 1)), 
y <- rt (q f i, T_Bup(i ♦ 1)), 

F <- (LAMBDA r -> number : D2ber(r, p, 
G <- (LAMBDA r -> number : D2bar(r # q, 
i <- 1. 

J <- »}, 

abs .me an 
{i <- i. 

1 <~ n. 


D). 

D). 
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F <- (LAMBDA r -> number : 

xCp3 + D2bar(r , p. i) - (yCp3 + D2bar(r, q, 1)))}, 

C0_a 

12_proof : PEDVE 12 FROM 
11, 

splitjaiean 
{i <- 1, 

J <- n, 

k <- n. 

F <- (LAMBDA r -> number : 

abs (rt (p f 1, T_eup(i + 1)) + D2bar(r, p, i) 

- (rt (q, 1. T_aup(i + 1)) + D2bar(r, q, 1))))}, 

CO_a, 

CO.b 

bound_f aulty : LEMMA 
SlA(i + 1) 

AND SlC(p, q, i) 

AND 1 <« r 

AND r <* m AND nonfaulty(p, 1 + 1) AND nonf aulty(q, 1 + 1) 
IMPLIES abs (rt (p, 1, T_aup(i + 1)) + D2bar(r, p, 1) 

- (rt (q, 1, T_aup(i + 1)) + D2bar(r. q, 1))) 

< delta + 2 * Delta 

bound_laulty_proof : PROVE bound_f aulty FROM 
lemmaBdef {T <- T_aup(i + 1)}, Ti_in_S 

IS.proof : PROVE 13 FROM 
aum_bound 

{F <- (LAMBDA r -> number : 

abs (rt (p, 1, T_aup(i + 1)) + D2bar(r, p, 1) 

- (rt (q, 1, T_aup(i + 1)) + D2bar(r, q. 1)))), 
x <- delta + 2 * Delta, 

1 <- 1. 

j <- *}. 

bound_f aulty {r <- ppCpl), 

CO_b 

S2_pqr : LEMMA S2(p, i) AND S2(q, 1) AND S2(r. 1) 

S2_pqr .proof : PROVE S2_pqr FROM 
Theorem.2, Theorem^ {p <- q}, Theorem_2 {p <- r} 

bound.nonf aulty : LEMMA 
S1A(1 + 1) 

AND SlC(p, q. 1) 
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AND m + 1 <« r 

AND r <■ n AND nonfaulty(p. i + 1) AND nonfaulty(q, i + 1) 
IMPLIES aba(rt(p. i. T_aup(i + 1)) + D2bar(r, p. i) 

- Crt(q, i, T_Bup(i + 1)) + D2bar(r. q, i))) 

< 2 * (rho * S + eps + mult (half (rho) , Delta)) 

bound_nonfaulty.proof : PROVE bound_nonfaulty FROM 
SlAdef {i <- i + 1}, 

SlA.lemma. 

SlAdef. 

nonfx. 

nonfx {p <- q}, 

Theorem.l {q <- r}, 

Theorem.! {p <- q, q <- r} ( 

S2_pqr, 

lemma4def {T <- T.aup(i +1)}. 

Ti_in_S 

14 .pro of : PROVE 14 FROM 
eum.bound 

{F <- (LAMBDA r -> number : 

aba(rt(p. 1, T_eup(i + 1)) ♦ D2bar(r, p. 1) 

- (rt (q, 1. T.aupd + 1)) + D2bar(r. q. i)))). 
x <- 2 * (rho * S + eps + mult (half (rho) , Delta)). 

1 <- m ♦ 1, 

j <- »}. 

bound.nonf aulty {r <- ppCpl}, 

CO.b 

IB.proof : PROVE 15 FROM 
12. 

IS. 

14. 

div_mon2 

{x <- eum(l. 

m. 

(LAMBDA r -> number : 

abs(rt(p, i, T.supd + 1)) ♦ D2bar(r, p, 1) 

- (rt (q, 1. T.eupd + 1)) + D2bar(r. q. i))))) 

+ sum(m + 1 . 

*» 

n. 

(LAMBDA r -> number : 

abs(rt(p. i, T.Bupd + 1)) ♦ D2bar(r, p, i) 

- (rt (q. 1. T.oupd + 1)) + D2bar(r. q, i))))). 
y <- (delta + 2 * Delta) * m 

+ 2 * (rho * S + eps + mult (half (rho) . Delta)) * (n - m) , 
z <- n}. 
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CO_a 

culm_proof : PROVE culmination FROM lemmaCdef . 16, SlAdef {i <- i ♦ 1} 


END summations 
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juggle: MODULE 
USING algorithm 
THEORY 

rearrange_delta: LEMMA 

delta >» 2 * (eps + rho * S) ♦ 2 * m * Delta / (n - a) 

♦ n * rho * R / (n - a) 

+ rho * Delta 

+ n * rho * Sigma / (n - a) 

IMPLIES delta 

>* ((delta ♦ 2 * Delta) * a 

+ 2 * (epa ♦ rho * S + mult (half (rho) , Delta)) 
* (n - a)) 

/ n 

+ rho * R 
+ rho * Sigma 

PROOF 

a, b, bl, b2, b3 f b4 f bB, b6, c, x, y: VAR number 
diatribe: LEMMA 

(bl + b2 + b3 + b4 + bB + b6) * c 
“bl*c + b2*c + b3*c + b4*c + bB*c + b6*c 

diatrib6_proof : PROVE diatribe 

dlBtribe.ault : LEMMA 

nult ( (bl + b2 ♦ b3 ♦ b4 + bB + b6) . c) 

* ault(bl, c) + ault(b2, c) + mult(b3, c) + ault(b4, c) 

+ mult(b6, c) 

+ mult (b6 f c) 

diatrib6_mult_proof : PROVE diatribO.mult FROM 
dl8trlb6 ( 

ault_ax {x <- bi ♦ b2 + b3 + b4 + bB + b6, y <- c}. 

ault.ax (x <- bl, y <- c}, 

ault.ax {x <- b2, y <- c}, 

ault_ax {x <- b3. y <- c}, 

ault_ax {x <- b4. y <- c}. 

mult _ ax {x <- bB. y <- c}, 

ault_ax {x <- b6, y <- c} 
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mult.ineql : LEMMA 

a >= bl + b2 ♦ b3 + b4 + b5 AND c > 0 
IMPLIES mult (a, c) 

>» mult (bl , c) + mult (b2 , c) + mult(b3, c) + mult(b4, c) 

+ mult(b&, c) 

mult_ineql_proof : PROVE mult.ineql FROM 
distrib6_mult {b6 <- 0}, 

mult_mon2 {x <- bl + b2 + b3 ♦ b4 + bB, y <- a, z <- c}, 
mult_ax {x <- 0, y <- c} 

diBtrlbO.diT: LEMMA 

c > 0 IMPLIES (bl + b2 + b3 + b4 + bB + b6) / c 

■bl/c+b2/c + b3/c + b4/c + bB/c+b6/c 

reciprocal: LEMMA y /- 0 IMPLIES mult(x, 1 / y) - x / y 

reciprocal^proof : PROVE reciprocal FROM quotient .ax, mult.ax {y <- 1/y} 

distrib6_div_proof : PROVE diatribC.diY FROM 
diatribe jiult {c <- 1 / c}, 

reciprocal {x <- bl + b2 + b3 + b4 ♦ b6 + b6, y <- c}, 

reciprocal {x <- bl, y <- c}, 

reciprocal {x <- b2, y <- c}, 

reciprocal {x <- b3, y <- c}, 

reciprocal {x <- b4, y <- c}, 

reciprocal {x <- b6, y <- c}, 

reciprocal {x <- b6, y <- c} 

cancel.mult: LEMMA c > 0 AND mult (a, c) >* b IMPLIES a > B b / c 

cancel.mult.proof : PROVE cancel_mult FROM 
div_mon2 (z <- c, x <- b, y <- mult (a, c)}, 
cancellation.mult {x <- a, y <- c} 

mult_ineq2 : LEMMA 

c > 0 AND mult (a, c) >* bl + b2 + b3 + b4 + bB + b6 

IMPLIES a>«=bl/c + b2/c + b3/c + b4/c+bB/c + b6/c 

mult_ineq2_proof : PROVE mult.ineq2 FROM 

cancel.mult {b <- bl + b2 + b3 ♦ b4 ♦ bB + b6}, distrib6_div 

diatrib4.div: LEMMA 

c > 0 IMPLIES bl/c+b2/c+b3/c+b4/c 
» (bl + b2 + b3 + b4) / c 

distrib4_div_proof : PROVE diatrib4_div FROM 
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diatribe jault {bB <- 0, bC <- 0, c <- 1 / c}, 

reciprocal {x <- bl + b2 + b3 + b4, y <- c}, 

reciprocal {x <- bl, y <- c}, 

reciprocal {x <- b2, y <- c}, 

reciprocal {x <- b3, y <- c}, 

reciprocal {x <- b4, y <- c}, 

ault.ax {x <- 0, y <- 1 / c} 

atepl: LEMMA 

delta >* 2 * (eps + rho * S) + 2 * a * Delta / (n - a) 

+ n * rho * R / (n - a) 

+ rho * Delta 

+ n * rho * Sigma / (n - m) 

IMPLIES mult (delta, n - m) 

>■ mult (2 * (eps + rho *S),xi-b)+2*b* Delta 
+ n * rho * R 

♦ ault (rho * Delta, n - ■) 

+ n * rho * Sigma 

atepl _proof : PROVE atepl FROM 
ault_ineql 
{a <- delta, 
c <- n - a, 

bl <- 2 * (eps + rho * S) , 
b2 <- 2 * b * Delta / (n - b) , 

b3 <- n * rho * R / (n - a) , 

b4 <- rho * Delta, 
bB <- n * rho * Sigma / (n - a)}, 
ault.div {x <- 2 * a * Delta, y <- n - a}, 

ault.diY {x <- n * rho * R, y <- n - a}, 

ault_div {x <- n * rho * Sigma, y <- n - a}, 

C0_b 

atep2: LEMMA 
suit (delta, n - a) 

>* ault(2 * (eps + rho *S),n-a)+2*a* Delta 
+ n * rho * R 

♦ mult (rho * Delta, n - m) 

+ n * rho * Sigma 

IMPLIES ault (delta, n) 

>= ault (delta, a) + ault (2 * (eps + rho * S) , n - a) 
+2*1* Delta 
♦ n * rho * R 
+ ault (rho * Delta, & - a) 

♦ n * rho * Sigma 


atep2_proof : PROVE step2 FROM 
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nult_ax {x <- delta, y <- n - m}, 
ault.ax {x <- delta, y <- n}, 
mult_ax {x <- delta, y <- m } 

atep3: LEMMA 
mult (delta, n) 

>* mult(delta, m) + mult(2 * (eps + rho * S) , n - m) 

+ 2 * m * Delta 
+ n * rho * R 
+ mult (rho * Delta, n - m) 

♦ n * rho * Sigma 
IMPLIES delta 

>■ mult (delta, m) / n + mult (2 * (eps + rho * S) , n - m) / n 
+ 2 * m * Delta / n 
+ rho * R 

+ mult (rho * Delta, n - m) / n 
+ rho * Sigma 

step3_proof : PROVE step3 FROM 
mult_ineq2 
{a <- delta, 
c <- n, 

bl <- mult(delta, m) , 
b2 <- mult (2 * (eps + rho * S) , n - m) , 
b3 <- 2 * m * Delta, 
b4 <- n * rho * R, 
bB <- mult (rho * Delta, n - m) , 
b6 <- n * rho * Sigma}, 
cancellation {x <- rho * R, y <- n}, 
cancellation {x <- rho * Sigma, y <- n}, 

C0_a 

step4: LEMMA 

delta >■ mult (delta, m) / n + mult (2 * (eps + rho * S) , n - m) / n 
+ 2 * m * Delta / n 
+ rho * R 

+ mult (rho * Delta, n - m) / n 
+ rho * Sigma 
IMPLIES delta 

>* (mult (delta, m) + mult (2 * (eps + rho * S) , n - m) 

+ 2 * m * Delta 
+ mult (rho * Delta, n - m)) 

/ n 

+ rho * R 
+ rho * Sigma 


step4_proof : PROVE step4 FROM 



216 


Appendix D. Plain EHDM Specification Listings 


CO_a, 

distrib4_div 
{c <- n. 

bl <- mult(delta, a) , 

b2 <- mult (2 * (eps + rho * S) . n - m) , 

b3 <- 2 * m * Delta, 

b4 <- nult(rho * Delta, n - m)} 

stepB: LEMMA 

delta > k (suit (delta, a) + ault(2 * (eps + rho * S) , n - a) 

+ 2 * b * Delta 
♦ ault(rho * Delta, n - a)) 

/ n 

+ rho * R 
+ rho * Sigma 
IMPLIES delta 

>* ((delta + 2 * Delta) * a 

+ 2 * (eps + rho * S + ault (half (rho) , Delta)) 

* (n - a)) 

/ n 

+ rho * R 
♦ rho * Sigma 

step6_proof : PROVE stepB FROM 
ault_ax {x <- delta, y <- a}, 
ault.ax {x <- rho * Delta, y <- n - a}, 
ault.ax {x <- 2 * (eps + rho * S) , y <- n - a} , 
half3 {x <- rho, y <- Delta}, 
ault_ax {x <- rho, y <- Delta} 

final: PROVE rearrange.delta FROM stepl, step2, step3, step4, stepB 


END juggle 
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n&in: MODULE 

USING nat induction, algorithm. lemmaC, summations. Juggle 
PROOF 

p. q. r: VAR proc 
i, j . k: VAR period 
T: VAR clocktime 

basis: LEMMA S1A(0) IMPLIES SlC(p. q. 0) 
basis .proof : PROVE basis FROM 

SlAdef {i <- 0}. sublemma w A {i <- 0} f SICdef {i <- 0}, AO. C6 
lnd.step: LEMMA 

SlA(i + 1) AND SlC(p. q. i) IMPLIES SlC(p. q, i + 1) 

ind_proof : PROVE ind.step FROM 

culmination, rearrange.delta, SICdef {i <- i + l}, C6 

Theorem.l.proof : PROVE Theorem.l FROM 
basis. 

ind.step {i <- iCp3}. 
mod.induction 
{n <- i, 

A <- (LAMBDA k -> bool : SlA(k)). 

B <- (LAMBDA k -> bool : SlC(p. q. k))}. 

SlA.lemma (i <- JCp3} 


END main 





